Age | Commit message (Collapse) | Author |
|
Apple's versions of clang have version numbers that do not match the
corresponding upstream clang versions. Unfortunately, they do still
have the clang-15 zero-call-used-regs=all bug, so for now use the value
that doesn't result in segfaults. We could allowlist future versions
that are known to work. bz#3584 (and probably also our github CI
failures).
|
|
bz#3608, ok djm@
|
|
bz#3604.
|
|
multiplexed sessions to ignore SIGINT under some circumstances. Reported by /
feedback naddy@, ok dtucker@
OpenBSD-Commit-ID: 4d5c6c894664f50149153fd4764f21f43e7d7e5a
|
|
|
|
|
|
|
|
|
|
OpenBSD-Commit-ID: 71fc1e01a4c4ea061b252bd399cda7be757e6e35
|
|
|
|
connections. If the multiplex socket exists but the connection times out,
ssh will fall back to a direct connection the same way it would if the socket
did not exist at all. ok djm@
OpenBSD-Commit-ID: 2fbe1a36d4a24b98531b2d298a6557c8285dc1b4
|
|
When sshd is built with an OpenSSL that does not self-seed, it would
fail in the preauth privsep process while handling a new connection.
Sanity checked by djm@
|
|
commented- out config option match. From Ed Maste
OpenBSD-Commit-ID: e66e934c45a9077cb1d51fc4f8d3df4505db58d9
|
|
github PR#422 from eyalasulin999, ok djm@
OpenBSD-Commit-ID: 2b6b0dde4407e039f58f86c8d2ff584a8205ea55
|
|
so, as we do for %D, escape it;
OpenBSD-Commit-ID: 538cfcddbbb59dc3a8739604319491dcb8e0c0c9
|
|
Fixes failure on cygwin spotted by Darren
OpenBSD-Regress-ID: ff678a8cc69160a3b862733d935ec4a383f93cfb
|
|
a specific point. e.g. "make LTESTS_FROM=t-sftp" will only run the sftp.sh
test and subsequent ones. ok dtucker@
OpenBSD-Regress-ID: 07f653de731def074b29293db946042706fcead3
|
|
OpenBSD-Regress-ID: a6150262f39065939f025e546af2a346ffe674c1
|
|
OpenBSD-Regress-ID: 55e4186604e80259496d841e690ea2090981bc7a
|
|
PKCS#11 modules; based on GHPR406 by Jakub Jelen; ok markus
OpenBSD-Commit-ID: 7ed1082f23a13b38c373008f856fd301d50012f9
|
|
AuthorizedKeysCommand accept the %D (routing domain) and a new %C (connection
address/port 4-tuple) as expansion sequences; ok markus
OpenBSD-Commit-ID: ee9a48bf1a74c4ace71b69de69cfdaa2a7388565
|
|
private keys from 16 to 24; { feedback ok } x { deraadt markus }
OpenBSD-Commit-ID: a3afb1383f8ff0a49613d449f02395d9e8d4a9ec
|
|
Previously sk-dummy.so used libc's (or compat's) SHA256 since it may be
built without OpenSSL. In many cases, however, including both libc's
and OpenSSL's headers together caused conflicting definitions.
We tried working around this (on OpenSSL <1.1 you could define
OPENSSL_NO_SHA, NetBSD had USE_LIBC_SHA2, various #define hacks) with
varying levels of success. Since OpenSSL >=1.1 removed OPENSSL_NO_SHA
and including most OpenSSL headers would bring sha.h in, even if it
wasn't used directly this was a constant hassle.
Admit defeat and use OpenSSL's SHA256 unless we aren't using OpenSSL at
all. ok djm@
|
|
|
|
multiplexed cases (inc. ControlPersist). bz3589 bz3589 Based on patches by
Peter Chubb; ok dtucker@
OpenBSD-Commit-ID: a7a2976a54b93e6767dc846b85647e6ec26969ac
|
|
OpenBSD-Commit-ID: e6ddfef94b0eb867ad88abe07cedc8ed581c07f0
|
|
OpenBSD-Commit-ID: bc965460a89edf76865b7279b45cf9cbdebd558a
|
|
ok djm@
|
|
|
|
|
|
Make ssh-pkcs11-client start an independent helper for each provider,
providing better isolation between modules and reliability if a single
module misbehaves.
This also implements reference counting of PKCS#11-hosted keys,
allowing ssh-pkcs11-helper subprocesses to be automatically reaped
when no remaining keys reference them. This fixes some bugs we have
that make PKCS11 keys unusable after they have been deleted, e.g.
https://bugzilla.mindrot.org/show_bug.cgi?id=3125
ok markus@
OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e
|
|
This checks via nlist(3) that candidate provider libraries contain one
of the symbols that we will require prior to dlopen(), which can cause
a number of side effects, including execution of constructors.
Feedback deraadt; ok markus
OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
|
|
libraries to ssh-agent by default.
The old behaviour of allowing remote clients from loading providers
can be restored using `ssh-agent -O allow-remote-pkcs11`.
Detection of local/remote clients requires a ssh(1) that supports
the `session-bind@openssh.com` extension. Forwarding access to a
ssh-agent socket using non-OpenSSH tools may circumvent this control.
ok markus@
OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c
|
|
that isn't a PKCS#11 provider; from / ok markus@
OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c
|
|
|
|
fixes build on AIX5 at least
|
|
Fixes build breakage on platforms that lack getifaddrs()
|
|
OpenBSD-Commit-ID: 9a08ed8dae27d3f38cf280f1b28d4e0ff41a737a
|
|
with that in ssh.1 - reformat usage() to match what "man ssh" does on 80width
OpenBSD-Commit-ID: 5235dd7aa42e5bf90ae54579d519f92fc107036e
|
|
OpenBSD-Commit-ID: 535f5257c779e26c6a662a038d241b017f8cab7c
|
|
OpenBSD-Commit-ID: 4776ced33b780f1db0b2902faec99312f26a726b
|
|
too no code change
OpenBSD-Commit-ID: ef5bf46b57726e4260a63b032b0b5ac3b4fe9cd4
|
|
where it caused merge conflict in -portable for each commit :(
OpenBSD-Commit-ID: 756ebac963df3245258b962e88150ebab9d5fc20
|
|
valid magic number and not SSH_ERR_MESSAGE_INCOMPLETE; the former is needed
to fall back to text revocation lists in some cases; fixes t-cert-hostkey.
OpenBSD-Commit-ID: 5c670a6c0f027e99b7774ef29f18ba088549c7e1
|
|
|
|
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.
ok markus
OpenBSD-Commit-ID: dc08358e70e702b59ac3e591827e5a96141b06a3
|
|
This allows matching on the addresses of available network interfaces
and may be used to vary the effective client configuration based on
network location (e.g. to use a ProxyJump when not on a particular
network).
ok markus@
OpenBSD-Commit-ID: cffb6ff9a3803abfc52b5cad0aa190c5e424c139
|
|
When the KRL format was originally defined, it included support for
signing of KRL objects. However, the code to sign KRLs and verify KRL
signatues was never completed in OpenSSH.
Now, some years later, we have SSHSIG support in ssh-keygen that is
more general, well tested and actually works. So this removes the
semi-finished KRL signing/verification support from OpenSSH and
refactors the remaining code to realise the benefit - primarily, we
no longer need to perform multiple parsing passes over KRL objects.
ok markus@
OpenBSD-Commit-ID: 517437bab3d8180f695c775410c052340e038804
|
|
This defines wire formats for optional KRL extensions and implements
parsing of the new submessages. No actual extensions are supported at
this point.
ok markus
OpenBSD-Commit-ID: ae2fcde9a22a9ba7f765bd4f36b3f5901d8c3fa7
|
|
OpenBSD-Commit-ID: e7c31034a5434f2ead3579b13a7892960651e6b0
|