| Age | Commit message (Collapse) | Author |
|---|
|
rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms; ok markus@
OpenBSD-Commit-ID: afc6f7ca216ccd821656d1c911d2a3deed685033
|
|
square brackets in case statements may be eaten by autoconf.
Report and fix from Filipp Gunbin; tweaked by naddy@
|
|
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were
specified, then authentication would always fail for RSA keys as the monitor
checks only the base key (not the signature algorithm) type against
*AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
|
|
bz#2922, patch from Christian.Lupien at USherbrooke.ca, sanity check
by vinschen at redhat.com.
|
|
Prevents unnecessary redefinition. Patch from mforney at mforney.org.
|
|
Patch from rosenp at gmail.com via openssh-unix-dev.
|
|
bz#2921, patch from cotequeiroz
|
|
Previous versions have a bug with EVP_CipherInit() when passed a
NULL EVP_CIPHER, per https://github.com/openssl/openssl/pull/4613
ok dtucker@
|
|
Missing last argument to OPENSSL_init_crypto()
|
|
Current impementions of the gcc spectre mitigation flags cause
miscompilations when combined with other flags and do not provide much
protection. Found by fweimer at redhat.com, ok djm@
|
|
OpenSSL 1.1.x soft-deprecated OPENSSL_config in favour of
OPENSSL_init_crypto; pointed out by Jakub Jelen
|
|
Don't let systems with broken printf(3) avoid our replacements
via asprintf(3)/vasprintf(3) calling libc internally. From djm@
|
|
If the platforms snprintf and friends don't understand %zu, use the
compat replacement. Prevents segfaults on those platforms.
|
|
|
|
|
|
older OpenSSH that can't handle them. spotted by Adam Eijdenberg; ok dtucker
OpenBSD-Commit-ID: 662bbc402e3d7c9b6c322806269698106a6ae631
|
|
|
|
From Adam Eijdenberg
|
|
Spotted by Adam Eijdenberg
|
|
certificates; spotted by Adam Eijdenberg; ok dtucker@
OpenBSD-Commit-ID: bfcdeb6f4fc9e7607f5096574c8f118f2e709e00
|
|
Again, for systems with broken NIS implementations.
Prompted by coolbugcheckers AT gmail.com
|
|
probably unreachable on this platform; pointed out by
coolbugcheckers AT gmail.com
|
|
OpenBSD-Commit-ID: 42d526a9fe01a40dd299ac58014d3349adf40e25
|
|
OpenSSL 1.1.0i has changed the behaviour of their PEM APIs,
so that empty passphrases are interpreted differently. This
probabalistically breaks loading some keys, because the PEM format
is terrible and doesn't include a proper MAC.
Avoid this by providing a basic callback to avoid passing empty
passphrases to OpenSSL in cases where one is required.
Based on patch from Jakub Jelen in bz#2913; ok dtucker@
|
|
Apparently some NIS implementations can leave pw->pw_passwd (or the
shadow equivalent) NULL.
bz#2909; based on patch from Todd Eigenschink
|
|
is specified as "incorrect passphrase" instead of trying to choose between
that and "invalid format".
libcrypto can return ASN1 parsing errors rather than the expected
decrypt error in certain infrequent cases when trying to decrypt/parse
PEM private keys when supplied with an invalid passphrase.
Report and repro recipe from Thomas Deutschmann in bz#2901
ok markus@
OpenBSD-Commit-ID: b1d4cd92395f9743f81c0d23aab2524109580870
|
|
* Try to resolve a port specification with getservbyname(3) if a
numeric conversion fails.
* Make the "Port" option in ssh_config handle its argument as a
port rather than a plain integer.
ok dtucker@ deraadt@
OpenBSD-Commit-ID: e7f03633133205ab3dfbc67f9df7475fabae660d
|
|
close the local extended read fd (stderr) along with the regular read fd
(stdout). Avoids weird stuck processed in multiplexing mode.
Report and analysis by Nelson Elhage and Geoffrey Thomas in bz#2863
ok dtucker@ markus@
OpenBSD-Commit-ID: a48a2467fe938de4de69d2e7193d5fa701f12ae9
|
|
channel_open_message() so we can use it in other debug messages
OpenBSD-Commit-ID: 9c3903ca28fcabad57f566c9d0045b41ab7d52ba
|
|
disposition of channel's extended (stderr) fd; makes debugging some things a
bit easier. No behaviour change.
OpenBSD-Commit-ID: 483eb6467dc7d5dbca8eb109c453e7a43075f7ce
|
|
report from coolbugcheckers AT gmail.com
OpenBSD-Commit-ID: a90f146c5b5f5b1408700395e394f70b440856cb
|
|
environment variable names as well as explicit paths. ok dtucker@
OpenBSD-Commit-ID: 2f0996e103876c53d8c9dd51dcce9889d700767b
|
|
OpenBSD-Commit-ID: 132471eeb0df658210afd27852fe65131b26e900
|
|
|
|
channel/ session protocol. Signalling is only supported to sesssions that are
not subsystems and were not started with a forced command.
Long requested in bz#1424
Based on a patch from markus@ and reworked by dtucker@;
ok markus@ dtucker@
OpenBSD-Commit-ID: 4bea826f575862eaac569c4bedd1056a268be1c3
|
|
the mentioned tasks are obsolete and, of the remainder, most are already
captured in PROTOCOL.mux where they better belong
OpenBSD-Commit-ID: 16d9d76dee42a5bb651c9d6740f7f0ef68aeb407
|
|
Also add a little bit of information about the overall packet format
OpenBSD-Commit-ID: bdb6f6ea8580ef96792e270cae7857786ad84a95
|
|
function names,
Gives better symmetry with the existing mux_client_*() names and makes
it more obvious when a message comes from the master vs client (they
are interleved in ControlMaster=auto mode).
no functional change beyond prefixing a could of log messages with
__func__ where they were previously lacking.
OpenBSD-Commit-ID: b01f7c3fdf92692e1713a822a89dc499333daf75
|
|
|
|
|
|
timeout and allow X11 connections in untrusted mode indefinitely. ok dtucker@
OpenBSD-Commit-ID: ea1ceed3f540b48e5803f933e59a03b20db10c69
|
|
OIDs by calling ssh_gssapi_prepare_supported_oids() regardless of whether
GSSAPI authentication is enabled in the main config.
This avoids sandbox violations for configurations that enable GSSAPI
auth later, e.g.
Match user djm
GSSAPIAuthentication yes
bz#2107; ok dtucker@
OpenBSD-Commit-ID: a5dd42d87c74e27cfb712b15b0f97ab20e0afd1d
|
|
being too short (i.e. SSH_ERR_KEY_LENGTH). These keys will not be considered
to be "in the file". This allows key revocation lists to contain short keys
without the entire revocation list being considered invalid.
bz#2897; ok dtucker
OpenBSD-Commit-ID: d9f3d857d07194a42ad7e62889a74dc3f9d9924b
|
|
with a ProxyCommand set with regards to hostname canonicalisation (i.e. don't
try to canonicalise the hostname unless CanonicalizeHostname is set to
'always').
Patch from Sven Wegener via bz#2896
OpenBSD-Commit-ID: 527ff501cf98bf65fb4b29ed0cb847dda10f4d37
|
|
option
OpenBSD-Commit-ID: 93fa7ff58314ed7b1ab7744090a6a91232e6ae52
|
|
OpenBSD-Commit-ID: 04431e8e7872f49a2129bf080a6b73c19d576d40
|
|
various -o lists; ok djm
OpenBSD-Commit-ID: ecb88baecc3c54988b4d1654446ea033da359288
|
|
(it was erroneously showing certificate algorithms); prompted by markus@
OpenBSD-Commit-ID: 1cdee002f2f0c21456979deeb887fc889afb154d
|
|
it to specify which signature algorithms may be used by CAs when signing
certificates. Useful if you want to ban RSA/SHA1; ok markus@
OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f
|
|
control over which signature algorithms a CA may use when signing
certificates. In particular, this allows a sshd to ban certificates signed
with RSA/SHA1.
ok markus@
OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
|
