summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)Author
2023-09-10Use zero-call-used-regs=used with Apple compilers.V_9_4Darren Tucker
Apple's versions of clang have version numbers that do not match the corresponding upstream clang versions. Unfortunately, they do still have the clang-15 zero-call-used-regs=all bug, so for now use the value that doesn't result in segfaults. We could allowlist future versions that are known to work. bz#3584 (and probably also our github CI failures).
2023-08-25Include Portable version in sshd version string.Darren Tucker
bz#3608, ok djm@
2023-08-19Fix zlib version check for 1.3 and future version.Darren Tucker
bz#3604.
2023-08-18upstream: fix regression in OpenSSH 9.4 (mux.c r1.99) that causeddjm@openbsd.org
multiplexed sessions to ignore SIGINT under some circumstances. Reported by / feedback naddy@, ok dtucker@ OpenBSD-Commit-ID: 4d5c6c894664f50149153fd4764f21f43e7d7e5a
2023-08-13Add obsd72 and obsd73 test targets.Darren Tucker
2023-08-10dependV_9_4_P1Damien Miller
2023-08-10update versions in RPM specsDamien Miller
2023-08-10update version in READMEDamien Miller
2023-08-10upstream: openssh-9.4djm@openbsd.org
OpenBSD-Commit-ID: 71fc1e01a4c4ea061b252bd399cda7be757e6e35
2023-08-10wrap poll.h include in HAVE_POLL_HDamien Miller
2023-08-04upstream: Apply ConnectTimeout to multiplexing local socketdtucker@openbsd.org
connections. If the multiplex socket exists but the connection times out, ssh will fall back to a direct connection the same way it would if the socket did not exist at all. ok djm@ OpenBSD-Commit-ID: 2fbe1a36d4a24b98531b2d298a6557c8285dc1b4
2023-08-03Fix RNG seeding for OpenSSL w/out self seeding.Darren Tucker
When sshd is built with an OpenSSL that does not self-seed, it would fail in the preauth privsep process while handling a new connection. Sanity checked by djm@
2023-08-03upstream: CheckHostIP has defaulted to 'no' for a while; make thedjm@openbsd.org
commented- out config option match. From Ed Maste OpenBSD-Commit-ID: e66e934c45a9077cb1d51fc4f8d3df4505db58d9
2023-08-01upstream: remove unnecessary if statement.dtucker@openbsd.org
github PR#422 from eyalasulin999, ok djm@ OpenBSD-Commit-ID: 2b6b0dde4407e039f58f86c8d2ff584a8205ea55
2023-08-01upstream: %C is a callable macro in mdoc(7)jmc@openbsd.org
so, as we do for %D, escape it; OpenBSD-Commit-ID: 538cfcddbbb59dc3a8739604319491dcb8e0c0c9
2023-07-30upstream: don't need to start a command here; use ssh -N instead.djm@openbsd.org
Fixes failure on cygwin spotted by Darren OpenBSD-Regress-ID: ff678a8cc69160a3b862733d935ec4a383f93cfb
2023-07-30upstream: add LTESTS_FROM variable to allow skipping of tests up todjm@openbsd.org
a specific point. e.g. "make LTESTS_FROM=t-sftp" will only run the sftp.sh test and subsequent ones. ok dtucker@ OpenBSD-Regress-ID: 07f653de731def074b29293db946042706fcead3
2023-07-30upstream: test ChrootDirectory in Match blockdjm@openbsd.org
OpenBSD-Regress-ID: a6150262f39065939f025e546af2a346ffe674c1
2023-07-30upstream: better error messagesdjm@openbsd.org
OpenBSD-Regress-ID: 55e4186604e80259496d841e690ea2090981bc7a
2023-07-28upstream: don't incorrectly truncate logged strings retrieved fromdjm@openbsd.org
PKCS#11 modules; based on GHPR406 by Jakub Jelen; ok markus OpenBSD-Commit-ID: 7ed1082f23a13b38c373008f856fd301d50012f9
2023-07-28upstream: make sshd_config AuthorizedPrincipalsCommand anddjm@openbsd.org
AuthorizedKeysCommand accept the %D (routing domain) and a new %C (connection address/port 4-tuple) as expansion sequences; ok markus OpenBSD-Commit-ID: ee9a48bf1a74c4ace71b69de69cfdaa2a7388565
2023-07-28upstream: increase default KDF work-factor for OpenSSH formatdjm@openbsd.org
private keys from 16 to 24; { feedback ok } x { deraadt markus } OpenBSD-Commit-ID: a3afb1383f8ff0a49613d449f02395d9e8d4a9ec
2023-07-27Prefer OpenSSL's SHA256 in sk-dummy.soDarren Tucker
Previously sk-dummy.so used libc's (or compat's) SHA256 since it may be built without OpenSSL. In many cases, however, including both libc's and OpenSSL's headers together caused conflicting definitions. We tried working around this (on OpenSSL <1.1 you could define OPENSSL_NO_SHA, NetBSD had USE_LIBC_SHA2, various #define hacks) with varying levels of success. Since OpenSSL >=1.1 removed OPENSSL_NO_SHA and including most OpenSSL headers would bring sha.h in, even if it wasn't used directly this was a constant hassle. Admit defeat and use OpenSSL's SHA256 unless we aren't using OpenSSL at all. ok djm@
2023-07-27Retire dfly58 test VM. Add dfly64.Darren Tucker
2023-07-27upstream: make ssh -f (fork after authentication) work properly indjm@openbsd.org
multiplexed cases (inc. ControlPersist). bz3589 bz3589 Based on patches by Peter Chubb; ok dtucker@ OpenBSD-Commit-ID: a7a2976a54b93e6767dc846b85647e6ec26969ac
2023-07-27upstream: man page typos; ok jmc@naddy@openbsd.org
OpenBSD-Commit-ID: e6ddfef94b0eb867ad88abe07cedc8ed581c07f0
2023-07-27upstream: tweak the allow-remote-pkcs11 text;jmc@openbsd.org
OpenBSD-Commit-ID: bc965460a89edf76865b7279b45cf9cbdebd558a
2023-07-25Handle a couple more OpenSSL no-ecc cases.Darren Tucker
ok djm@
2023-07-20dependDamien Miller
2023-07-20Bring back OPENSSL_HAS_ECC to ssh-pkcs11-clientDamien Miller
2023-07-20upstream: Separate ssh-pkcs11-helpers for each p11 moduledjm@openbsd.org
Make ssh-pkcs11-client start an independent helper for each provider, providing better isolation between modules and reliability if a single module misbehaves. This also implements reference counting of PKCS#11-hosted keys, allowing ssh-pkcs11-helper subprocesses to be automatically reaped when no remaining keys reference them. This fixes some bugs we have that make PKCS11 keys unusable after they have been deleted, e.g. https://bugzilla.mindrot.org/show_bug.cgi?id=3125 ok markus@ OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e
2023-07-20upstream: Ensure FIDO/PKCS11 libraries contain expected symbolsdjm@openbsd.org
This checks via nlist(3) that candidate provider libraries contain one of the symbols that we will require prior to dlopen(), which can cause a number of side effects, including execution of constructors. Feedback deraadt; ok markus OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
2023-07-20upstream: Disallow remote addition of FIDO/PKCS11 providerdjm@openbsd.org
libraries to ssh-agent by default. The old behaviour of allowing remote clients from loading providers can be restored using `ssh-agent -O allow-remote-pkcs11`. Detection of local/remote clients requires a ssh(1) that supports the `session-bind@openssh.com` extension. Forwarding access to a ssh-agent socket using non-OpenSSH tools may circumvent this control. ok markus@ OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c
2023-07-20upstream: terminate process if requested to load a PKCS#11 providerdjm@openbsd.org
that isn't a PKCS#11 provider; from / ok markus@ OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c
2023-07-19agent_fuzz doesn't want stdint.h conditionalisedDamien Miller
2023-07-18conditionalise stdint.h inclusion on HAVE_STDINT_HDamien Miller
fixes build on AIX5 at least
2023-07-18conditionalise match localnetwork on ifaddrs.hDamien Miller
Fixes build breakage on platforms that lack getifaddrs()
2023-07-17upstream: missing match localnetwork negation checkdjm@openbsd.org
OpenBSD-Commit-ID: 9a08ed8dae27d3f38cf280f1b28d4e0ff41a737a
2023-07-17upstream: - add -P to usage() - sync the arg name to -J in usage()jmc@openbsd.org
with that in ssh.1 - reformat usage() to match what "man ssh" does on 80width OpenBSD-Commit-ID: 5235dd7aa42e5bf90ae54579d519f92fc107036e
2023-07-17upstream: -P before -p in SYNOPSIS;jmc@openbsd.org
OpenBSD-Commit-ID: 535f5257c779e26c6a662a038d241b017f8cab7c
2023-07-17upstream: configuation -> configurationjsg@openbsd.org
OpenBSD-Commit-ID: 4776ced33b780f1db0b2902faec99312f26a726b
2023-07-17upstream: move other RCSIDs to before their respective license blocksdjm@openbsd.org
too no code change OpenBSD-Commit-ID: ef5bf46b57726e4260a63b032b0b5ac3b4fe9cd4
2023-07-17upstream: Move RCSID to before license block and away from #includes,djm@openbsd.org
where it caused merge conflict in -portable for each commit :( OpenBSD-Commit-ID: 756ebac963df3245258b962e88150ebab9d5fc20
2023-07-17upstream: return SSH_ERR_KRL_BAD_MAGIC when a KRL doesn't contain adjm@openbsd.org
valid magic number and not SSH_ERR_MESSAGE_INCOMPLETE; the former is needed to fall back to text revocation lists in some cases; fixes t-cert-hostkey. OpenBSD-Commit-ID: 5c670a6c0f027e99b7774ef29f18ba088549c7e1
2023-07-17avoid AF_LINK on platforms that don't define itDamien Miller
2023-07-17upstream: Add support for configuration tags to ssh(1).djm@openbsd.org
This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. ok markus OpenBSD-Commit-ID: dc08358e70e702b59ac3e591827e5a96141b06a3
2023-07-17upstream: add a "match localnetwork" predicate.djm@openbsd.org
This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location (e.g. to use a ProxyJump when not on a particular network). ok markus@ OpenBSD-Commit-ID: cffb6ff9a3803abfc52b5cad0aa190c5e424c139
2023-07-17upstream: remove vestigal support for KRL signaturesdjm@openbsd.org
When the KRL format was originally defined, it included support for signing of KRL objects. However, the code to sign KRLs and verify KRL signatues was never completed in OpenSSH. Now, some years later, we have SSHSIG support in ssh-keygen that is more general, well tested and actually works. So this removes the semi-finished KRL signing/verification support from OpenSSH and refactors the remaining code to realise the benefit - primarily, we no longer need to perform multiple parsing passes over KRL objects. ok markus@ OpenBSD-Commit-ID: 517437bab3d8180f695c775410c052340e038804
2023-07-17upstream: Support for KRL extensions.djm@openbsd.org
This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point. ok markus OpenBSD-Commit-ID: ae2fcde9a22a9ba7f765bd4f36b3f5901d8c3fa7
2023-07-17upstream: Include stdint.h for SIZE_MAX. Fixes OPENSSL=no build.dtucker@openbsd.org
OpenBSD-Commit-ID: e7c31034a5434f2ead3579b13a7892960651e6b0
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-14 00:40:30 +0000