d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Vendor import of OpenSSH 7.1p1.

Browse Source
This commit is contained in:
Dag-Erling Smørgrav 2015-08-26 09:27:05 +00:00
parent d994eeedda
commit a7a7e85cd3
24 changed files with 191 additions and 185 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

249
ChangeLog
View File

@ -1,3 +1,121 @@
commit e91346dc2bbf460246df2ab591b7613908c1b0ad
Author: Damien Miller <djm@mindrot.org>
Date: Fri Aug 21 14:49:03 2015 +1000
we don't use Github for issues/pull-requests
commit a4f5b507c708cc3dc2c8dd2d02e4416d7514dc23
Author: Damien Miller <djm@mindrot.org>
Date: Fri Aug 21 14:43:55 2015 +1000
fix URL for connect.c
commit d026a8d3da0f8186598442997c7d0a28e7275414
Author: Damien Miller <djm@mindrot.org>
Date: Fri Aug 21 13:47:10 2015 +1000
update version numbers for 7.1
commit 78f8f589f0ca1c9f41e5a9bae3cda5ce8a6b42ed
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Aug 21 03:45:26 2015 +0000
upstream commit
openssh-7.1
Upstream-ID: ff7b1ef4b06caddfb45e08ba998128c88be3d73f
commit 32a181980c62fce94f7f9ffaf6a79d90f0c309cf
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Aug 21 03:42:19 2015 +0000
upstream commit
fix inverted logic that broke PermitRootLogin; reported
by Mantas Mikulenas; ok markus@
Upstream-ID: 260dd6a904c1bb7e43267e394b1c9cf70bdd5ea5
commit ce445b0ed927e45bd5bdce8f836eb353998dd65c
Author: deraadt@openbsd.org <deraadt@openbsd.org>
Date: Thu Aug 20 22:32:42 2015 +0000
upstream commit
Do not cast result of malloc/calloc/realloc* if stdlib.h
is in scope ok krw millert
Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667
commit 05291e5288704d1a98bacda269eb5a0153599146
Author: naddy@openbsd.org <naddy@openbsd.org>
Date: Thu Aug 20 19:20:06 2015 +0000
upstream commit
In the certificates section, be consistent about using
"host_key" and "user_key" for the respective key types. ok sthen@ deraadt@
Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb
commit 8543d4ef6f2e9f98c3e6b77c894ceec30c5e4ae4
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Aug 19 23:21:42 2015 +0000
upstream commit
Better compat matching for WinSCP, add compat matching
for FuTTY (fork of PuTTY); ok markus@ deraadt@
Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389
commit ec6eda16ebab771aa3dfc90629b41953b999cb1e
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Aug 19 23:19:01 2015 +0000
upstream commit
fix double-free() in error path of DSA key generation
reported by Mateusz Kocielski; ok markus@
Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c
commit 45b0eb752c94954a6de046bfaaf129e518ad4b5b
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Aug 19 23:18:26 2015 +0000
upstream commit
fix free() of uninitialised pointer reported by Mateusz
Kocielski; ok markus@
Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663
commit c837643b93509a3ef538cb6624b678c5fe32ff79
Author: djm@openbsd.org <djm@openbsd.org>
Date: Wed Aug 19 23:17:51 2015 +0000
upstream commit
fixed unlink([uninitialised memory]) reported by Mateusz
Kocielski; ok markus@
Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109
commit 1f8d3d629cd553031021068eb9c646a5f1e50994
Author: jmc@openbsd.org <jmc@openbsd.org>
Date: Fri Aug 14 15:32:41 2015 +0000
upstream commit
match myproposal.h order; from brian conway (i snuck in a
tweak while here)
ok dtucker
Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67
commit 1dc8d93ce69d6565747eb44446ed117187621b26 commit 1dc8d93ce69d6565747eb44446ed117187621b26
Author: deraadt@openbsd.org <deraadt@openbsd.org> Author: deraadt@openbsd.org <deraadt@openbsd.org>
Date: Thu Aug 6 14:53:21 2015 +0000 Date: Thu Aug 6 14:53:21 2015 +0000
@ -9013,134 +9131,3 @@ Date: Wed Aug 28 12:49:43 2013 +1000
- (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the
'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we 'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we
start to use them in the future. start to use them in the future.
commit f2f6c315a920a256937e1b6a3702757f3195a592
Author: Damien Miller <djm@mindrot.org>
Date: Wed Aug 21 02:44:58 2013 +1000
- jmc@cvs.openbsd.org 2013/08/20 06:56:07
[ssh.1 ssh_config.5]
some proxyusefdpass tweaks;
commit 1262b6638f7d01ab110fd373dd90d915c882fe1a
Author: Damien Miller <djm@mindrot.org>
Date: Wed Aug 21 02:44:24 2013 +1000
- djm@cvs.openbsd.org 2013/08/20 00:11:38
[readconf.c readconf.h ssh_config.5 sshconnect.c]
Add a ssh_config ProxyUseFDPass option that supports the use of
ProxyCommands that establish a connection and then pass a connected
file descriptor back to ssh(1). This allows the ProxyCommand to exit
rather than have to shuffle data back and forth and enables ssh to use
getpeername, etc. to obtain address information just like it does with
regular directly-connected sockets. ok markus@
commit b7727df37efde4dbe4f5a33b19cbf42022aabf66
Author: Damien Miller <djm@mindrot.org>
Date: Wed Aug 21 02:43:49 2013 +1000
- jmc@cvs.openbsd.org 2013/08/14 08:39:27
[scp.1 ssh.1]
some Bx/Ox conversion;
From: Jan Stary
commit d5d9d7b1fdacf0551de4c747728bd159be40590a
Author: Damien Miller <djm@mindrot.org>
Date: Wed Aug 21 02:43:27 2013 +1000
- djm@cvs.openbsd.org 2013/08/13 18:33:08
[ssh-keygen.c]
another of the same typo
commit d234afb0b3a8de1be78cbeafed5fc86912594c3c
Author: Damien Miller <djm@mindrot.org>
Date: Wed Aug 21 02:42:58 2013 +1000
- djm@cvs.openbsd.org 2013/08/13 18:32:08
[ssh-keygen.c]
typo in error message; from Stephan Rickauer
commit e0ee727b8281a7c2ae20630ce83f6b200b404059
Author: Damien Miller <djm@mindrot.org>
Date: Wed Aug 21 02:42:35 2013 +1000
- djm@cvs.openbsd.org 2013/08/09 03:56:42
[sftp.c]
enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word;
matching ksh's relatively recent change.
commit fec029f1dc2c338f3fae3fa82aabc988dc07868c
Author: Damien Miller <djm@mindrot.org>
Date: Wed Aug 21 02:42:12 2013 +1000
- djm@cvs.openbsd.org 2013/08/09 03:39:13
[sftp-client.c]
two problems found by a to-be-committed regress test: 1) msg_id was not
being initialised so was starting at a random value from the heap
(harmless, but confusing). 2) some error conditions were not being
propagated back to the caller
commit 036d30743fc914089f9849ca52d615891d47e616
Author: Damien Miller <djm@mindrot.org>
Date: Wed Aug 21 02:41:46 2013 +1000
- djm@cvs.openbsd.org 2013/08/09 03:37:25
[sftp.c]
do getopt parsing for all sftp commands (with an empty optstring for
commands without arguments) to ensure consistent behaviour
commit c7dba12bf95eb1d69711881a153cc286c1987663
Author: Damien Miller <djm@mindrot.org>
Date: Wed Aug 21 02:41:15 2013 +1000
- djm@cvs.openbsd.org 2013/08/08 05:04:03
[sftp-client.c sftp-client.h sftp.c]
add a "-l" flag for the rename command to force it to use the silly
standard SSH_FXP_RENAME command instead of the POSIX-rename- like
posix-rename@openssh.com extension.
intended for use in regress tests, so no documentation.
commit 034f27a0c09e69fe3589045b41f03f6e345b63f5
Author: Damien Miller <djm@mindrot.org>
Date: Wed Aug 21 02:40:44 2013 +1000
- djm@cvs.openbsd.org 2013/08/08 04:52:04
[sftp.c]
fix two year old regression: symlinking a file would incorrectly
canonicalise the target path. bz#2129 report from delphij AT freebsd.org
commit c6895c5c67492144dd28589e5788f783be9152ed
Author: Damien Miller <djm@mindrot.org>
Date: Wed Aug 21 02:40:21 2013 +1000
- jmc@cvs.openbsd.org 2013/08/07 06:24:51
[sftp.1 sftp.c]
sort -a;
commit a6d6c1f38ac9b4a5e1bd4df889e1020a8370ed55
Author: Damien Miller <djm@mindrot.org>
Date: Wed Aug 21 02:40:01 2013 +1000
- djm@cvs.openbsd.org 2013/08/06 23:06:01
[servconf.c]
add cast to avoid format warning; from portable
commit eec840673bce3f69ad269672fba7ed8ff05f154f
Author: Damien Miller <djm@mindrot.org>
Date: Wed Aug 21 02:39:39 2013 +1000
- djm@cvs.openbsd.org 2013/08/06 23:05:01
[sftp.1]
document top-level -a option (the -a option to 'get' was already
documented)
commit 02e878070d0eddad4e11f2c82644b275418eb112
Author: Damien Miller <djm@mindrot.org>
Date: Wed Aug 21 02:38:51 2013 +1000
- djm@cvs.openbsd.org 2013/08/06 23:03:49
[sftp.c]
fix some whitespace at EOL
make list of commands an enum rather than a long list of defines
add -a to usage()

6
README
View File

@ -1,4 +1,8 @@
See http://www.openssh.com/txt/release-7.0 for the release notes. See http://www.openssh.com/txt/release-7.1 for the release notes.
Please read http://www.openssh.com/report.html for bug reporting
instructions and note that we do not use Github for bug reporting or
patch/pull-request management.
- A Japanese translation of this document and of the OpenSSH FAQ is - A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html - available at http://www.unixuser.org/~haruyama/security/openssh/index.html

4
auth.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth.c,v 1.112 2015/08/06 14:53:21 deraadt Exp $ */ /* $OpenBSD: auth.c,v 1.113 2015/08/21 03:42:19 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
* *
@ -354,7 +354,7 @@ auth_root_allowed(const char *method)
case PERMIT_NO_PASSWD: case PERMIT_NO_PASSWD:
if (strcmp(method, "publickey") == 0 || if (strcmp(method, "publickey") == 0 ||
strcmp(method, "hostbased") == 0 || strcmp(method, "hostbased") == 0 ||
strcmp(method, "gssapi-with-mic")) strcmp(method, "gssapi-with-mic") == 0)
return 1; return 1;
break; break;
case PERMIT_FORCED_ONLY: case PERMIT_FORCED_ONLY:

15
compat.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: compat.c,v 1.96 2015/07/28 23:20:42 djm Exp $ */ /* $OpenBSD: compat.c,v 1.97 2015/08/19 23:21:42 djm Exp $ */
/* /*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
* *
@ -176,6 +176,7 @@ compat_datafellows(const char *version)
"PuTTY_Release_0.63*," "PuTTY_Release_0.63*,"
"PuTTY_Release_0.64*", "PuTTY_Release_0.64*",
SSH_OLD_DHGEX }, SSH_OLD_DHGEX },
{ "FuTTY*", SSH_OLD_DHGEX }, /* Putty Fork */
{ "Probe-*", { "Probe-*",
SSH_BUG_PROBE }, SSH_BUG_PROBE },
{ "TeraTerm SSH*," { "TeraTerm SSH*,"
@ -189,7 +190,17 @@ compat_datafellows(const char *version)
"TTSSH/2.70*," "TTSSH/2.70*,"
"TTSSH/2.71*," "TTSSH/2.71*,"
"TTSSH/2.72*", SSH_BUG_HOSTKEYS }, "TTSSH/2.72*", SSH_BUG_HOSTKEYS },
{ "WinSCP*", SSH_OLD_DHGEX }, { "WinSCP_release_4*,"
"WinSCP_release_5.0*,"
"WinSCP_release_5.1*,"
"WinSCP_release_5.5*,"
"WinSCP_release_5.6*,"
"WinSCP_release_5.7,"
"WinSCP_release_5.7.1,"
"WinSCP_release_5.7.2,"
"WinSCP_release_5.7.3,"
"WinSCP_release_5.7.4",
SSH_OLD_DHGEX },
{ NULL, 0 } { NULL, 0 }
}; };

2
contrib/README
View File

@ -11,7 +11,7 @@ which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or
https CONNECT style proxy server. His page for connect.c has extensive https CONNECT style proxy server. His page for connect.c has extensive
documentation on its use as well as compiled versions for Win32. documentation on its use as well as compiled versions for Win32.
http://www.taiyo.co.jp/~gotoh/ssh/connect.html https://bitbucket.org/gotoh/connect/wiki/Home
X11 SSH Askpass: X11 SSH Askpass:

2
contrib/redhat/openssh.spec
View File

@ -1,4 +1,4 @@
%define ver 7.0p1 %define ver 7.1p1
%define rel 1 %define rel 1
# OpenSSH privilege separation requires a user & group ID # OpenSSH privilege separation requires a user & group ID

2
contrib/suse/openssh.spec
View File

@ -13,7 +13,7 @@
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh Name: openssh
Version: 7.0p1 Version: 7.1p1
URL: http://www.openssh.com/ URL: http://www.openssh.com/
Release: 1 Release: 1
Source0: openssh-%{version}.tar.gz Source0: openssh-%{version}.tar.gz

4
dns.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: dns.c,v 1.34 2015/01/28 22:36:00 djm Exp $ */ /* $OpenBSD: dns.c,v 1.35 2015/08/20 22:32:42 deraadt Exp $ */
/* /*
* Copyright (c) 2003 Wesley Griffin. All rights reserved. * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@ -154,7 +154,7 @@ dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type,
*digest_len = rdata_len - 2; *digest_len = rdata_len - 2;
if (*digest_len > 0) { if (*digest_len > 0) {
*digest = (u_char *) xmalloc(*digest_len); *digest = xmalloc(*digest_len);
memcpy(*digest, rdata + 2, *digest_len); memcpy(*digest, rdata + 2, *digest_len);
} else { } else {
*digest = (u_char *)xstrdup(""); *digest = (u_char *)xstrdup("");

6
mux.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: mux.c,v 1.53 2015/05/01 04:03:20 djm Exp $ */ /* $OpenBSD: mux.c,v 1.54 2015/08/19 23:18:26 djm Exp $ */
/* /*
* Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
* *
@ -665,6 +665,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
u_int lport, cport; u_int lport, cport;
int i, ret = 0, freefwd = 1; int i, ret = 0, freefwd = 1;
memset(&fwd, 0, sizeof(fwd));
/* XXX - lport/cport check redundant */ /* XXX - lport/cport check redundant */
if (buffer_get_int_ret(&ftype, m) != 0 || if (buffer_get_int_ret(&ftype, m) != 0 ||
(listen_addr = buffer_get_string_ret(m, NULL)) == NULL || (listen_addr = buffer_get_string_ret(m, NULL)) == NULL ||
@ -832,6 +834,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
int i, ret = 0; int i, ret = 0;
u_int lport, cport; u_int lport, cport;
memset(&fwd, 0, sizeof(fwd));
if (buffer_get_int_ret(&ftype, m) != 0 || if (buffer_get_int_ret(&ftype, m) != 0 ||
(listen_addr = buffer_get_string_ret(m, NULL)) == NULL || (listen_addr = buffer_get_string_ret(m, NULL)) == NULL ||
buffer_get_int_ret(&lport, m) != 0 || buffer_get_int_ret(&lport, m) != 0 ||

6
packet.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: packet.c,v 1.213 2015/07/29 04:43:06 djm Exp $ */ /* $OpenBSD: packet.c,v 1.214 2015/08/20 22:32:42 deraadt Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1272,7 +1272,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
DBG(debug("packet_read()")); DBG(debug("packet_read()"));
setp = (fd_set *)calloc(howmany(state->connection_in + 1, setp = calloc(howmany(state->connection_in + 1,
NFDBITS), sizeof(fd_mask)); NFDBITS), sizeof(fd_mask));
if (setp == NULL) if (setp == NULL)
return SSH_ERR_ALLOC_FAIL; return SSH_ERR_ALLOC_FAIL;
@ -2036,7 +2036,7 @@ ssh_packet_write_wait(struct ssh *ssh)
struct timeval start, timeout, *timeoutp = NULL; struct timeval start, timeout, *timeoutp = NULL;
struct session_state *state = ssh->state; struct session_state *state = ssh->state;
setp = (fd_set *)calloc(howmany(state->connection_out + 1, setp = calloc(howmany(state->connection_out + 1,
NFDBITS), sizeof(fd_mask)); NFDBITS), sizeof(fd_mask));
if (setp == NULL) if (setp == NULL)
return SSH_ERR_ALLOC_FAIL; return SSH_ERR_ALLOC_FAIL;

6
sftp-server.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-server.c,v 1.106 2015/04/24 01:36:01 deraadt Exp $ */ /* $OpenBSD: sftp-server.c,v 1.107 2015/08/20 22:32:42 deraadt Exp $ */
/* /*
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
* *
@ -1632,8 +1632,8 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
fatal("%s: sshbuf_new failed", __func__); fatal("%s: sshbuf_new failed", __func__);
set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask); set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask);
rset = (fd_set *)xmalloc(set_size); rset = xmalloc(set_size);
wset = (fd_set *)xmalloc(set_size); wset = xmalloc(set_size);
if (homedir != NULL) { if (homedir != NULL) {
if (chdir(homedir) != 0) { if (chdir(homedir) != 0) {

6
sftp.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp.c,v 1.170 2015/01/20 23:14:00 deraadt Exp $ */ /* $OpenBSD: sftp.c,v 1.171 2015/08/20 22:32:42 deraadt Exp $ */
/* /*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
* *
@ -1958,7 +1958,7 @@ complete(EditLine *el, int ch)
/* Figure out which argument the cursor points to */ /* Figure out which argument the cursor points to */
cursor = lf->cursor - lf->buffer; cursor = lf->cursor - lf->buffer;
line = (char *)xmalloc(cursor + 1); line = xmalloc(cursor + 1);
memcpy(line, lf->buffer, cursor); memcpy(line, lf->buffer, cursor);
line[cursor] = '\0'; line[cursor] = '\0';
argv = makeargv(line, &carg, 1, &quote, &terminated); argv = makeargv(line, &carg, 1, &quote, &terminated);
@ -1966,7 +1966,7 @@ complete(EditLine *el, int ch)
/* Get all the arguments on the line */ /* Get all the arguments on the line */
len = lf->lastchar - lf->buffer; len = lf->lastchar - lf->buffer;
line = (char *)xmalloc(len + 1); line = xmalloc(len + 1);
memcpy(line, lf->buffer, len); memcpy(line, lf->buffer, len);
line[len] = '\0'; line[len] = '\0';
argv = makeargv(line, &argc, 1, NULL, NULL); argv = makeargv(line, &argc, 1, NULL, NULL);

6
ssh-keygen.0
View File

@ -426,7 +426,7 @@ CERTIFICATES
providing the token library using -D and identifying the CA key by providing the token library using -D and identifying the CA key by
providing its public half as an argument to -s: providing its public half as an argument to -s:
$ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
In all cases, key_id is a "key identifier" that is logged by the server In all cases, key_id is a "key identifier" that is logged by the server
when the certificate is used for authentication. when the certificate is used for authentication.
@ -437,7 +437,7 @@ CERTIFICATES
principals: principals:
$ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub $ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub
Additional limitations on the validity and use of user certificates may Additional limitations on the validity and use of user certificates may
be specified through certificate options. A certificate option may be specified through certificate options. A certificate option may
@ -563,4 +563,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0. versions 1.5 and 2.0.
OpenBSD 5.8 July 3, 2015 OpenBSD 5.8 OpenBSD 5.8 August 20, 2015 OpenBSD 5.8

8
ssh-keygen.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keygen.1,v 1.126 2015/07/03 03:49:45 djm Exp $ .\" $OpenBSD: ssh-keygen.1,v 1.127 2015/08/20 19:20:06 naddy Exp $
.\" .\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd $Mdocdate: July 3 2015 $ .Dd $Mdocdate: August 20 2015 $
.Dt SSH-KEYGEN 1 .Dt SSH-KEYGEN 1
.Os .Os
.Sh NAME .Sh NAME
@ -680,7 +680,7 @@ and identifying the CA key by providing its public half as an argument
to to
.Fl s : .Fl s :
.Pp .Pp
.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
.Pp .Pp
In all cases, In all cases,
.Ar key_id .Ar key_id
@ -693,7 +693,7 @@ By default, generated certificates are valid for all users or hosts.
To generate a certificate for a specified set of principals: To generate a certificate for a specified set of principals:
.Pp .Pp
.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub"
.Pp .Pp
Additional limitations on the validity and use of user certificates may Additional limitations on the validity and use of user certificates may
be specified through certificate options. be specified through certificate options.

5
ssh-keygen.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.276 2015/07/03 03:49:45 djm Exp $ */ /* $OpenBSD: ssh-keygen.c,v 1.277 2015/08/19 23:17:51 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1201,7 +1201,8 @@ do_known_hosts(struct passwd *pw, const char *name)
exit(1); exit(1);
} else if (delete_host && !ctx.found_key) { } else if (delete_host && !ctx.found_key) {
logit("Host %s not found in %s", name, identity_file); logit("Host %s not found in %s", name, identity_file);
unlink(tmp); if (inplace)
unlink(tmp);
} else if (inplace) { } else if (inplace) {
/* Backup existing file */ /* Backup existing file */
if (unlink(old) == -1 && errno != ENOENT) if (unlink(old) == -1 && errno != ENOENT)

6
ssh-pkcs11-helper.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-pkcs11-helper.c,v 1.10 2015/01/20 23:14:00 deraadt Exp $ */ /* $OpenBSD: ssh-pkcs11-helper.c,v 1.11 2015/08/20 22:32:42 deraadt Exp $ */
/* /*
* Copyright (c) 2010 Markus Friedl. All rights reserved. * Copyright (c) 2010 Markus Friedl. All rights reserved.
* *
@ -301,8 +301,8 @@ main(int argc, char **argv)
buffer_init(&oqueue); buffer_init(&oqueue);
set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask); set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask);
rset = (fd_set *)xmalloc(set_size); rset = xmalloc(set_size);
wset = (fd_set *)xmalloc(set_size); wset = xmalloc(set_size);
for (;;) { for (;;) {
memset(rset, 0, set_size); memset(rset, 0, set_size);

4
ssh_config.0
View File

@ -205,9 +205,9 @@ DESCRIPTION
The default is: The default is:
chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr, aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-gcm@openssh.com,aes256-gcm@openssh.com,
chacha20-poly1305@openssh.com,
arcfour256,arcfour128, arcfour256,arcfour128,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
aes192-cbc,aes256-cbc,arcfour aes192-cbc,aes256-cbc,arcfour
@ -1023,4 +1023,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0. versions 1.5 and 2.0.
OpenBSD 5.8 July 30, 2015 OpenBSD 5.8 OpenBSD 5.8 August 14, 2015 OpenBSD 5.8

6
ssh_config.5
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: ssh_config.5,v 1.214 2015/07/30 00:01:34 djm Exp $ .\" $OpenBSD: ssh_config.5,v 1.215 2015/08/14 15:32:41 jmc Exp $
.Dd $Mdocdate: July 30 2015 $ .Dd $Mdocdate: August 14 2015 $
.Dt SSH_CONFIG 5 .Dt SSH_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@ -415,9 +415,9 @@ chacha20-poly1305@openssh.com
.Pp .Pp
The default is: The default is:
.Bd -literal -offset indent .Bd -literal -offset indent
chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr, aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-gcm@openssh.com,aes256-gcm@openssh.com,
chacha20-poly1305@openssh.com,
arcfour256,arcfour128, arcfour256,arcfour128,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
aes192-cbc,aes256-cbc,arcfour aes192-cbc,aes256-cbc,arcfour

4
sshconnect.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect.c,v 1.262 2015/05/28 05:41:29 dtucker Exp $ */ /* $OpenBSD: sshconnect.c,v 1.263 2015/08/20 22:32:42 deraadt Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -356,7 +356,7 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr,
goto done; goto done;
} }
fdset = (fd_set *)xcalloc(howmany(sockfd + 1, NFDBITS), fdset = xcalloc(howmany(sockfd + 1, NFDBITS),
sizeof(fd_mask)); sizeof(fd_mask));
FD_SET(sockfd, fdset); FD_SET(sockfd, fdset);
ms_to_timeval(&tv, *timeoutp); ms_to_timeval(&tv, *timeoutp);

4
sshd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshd.c,v 1.457 2015/07/30 00:01:34 djm Exp $ */ /* $OpenBSD: sshd.c,v 1.458 2015/08/20 22:32:42 deraadt Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1253,7 +1253,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
sighup_restart(); sighup_restart();
if (fdset != NULL) if (fdset != NULL)
free(fdset); free(fdset);
fdset = (fd_set *)xcalloc(howmany(maxfd + 1, NFDBITS), fdset = xcalloc(howmany(maxfd + 1, NFDBITS),
sizeof(fd_mask)); sizeof(fd_mask));
for (i = 0; i < num_listen_socks; i++) for (i = 0; i < num_listen_socks; i++)

8
sshd_config.0
View File

@ -286,9 +286,9 @@ DESCRIPTION
The default is: The default is:
chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr, aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-gcm@openssh.com,aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
The list of available ciphers may also be obtained using the -Q The list of available ciphers may also be obtained using the -Q
option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^]. option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^].
@ -927,7 +927,7 @@ DESCRIPTION
If this option is set to M-bM-^@M-^\noM-bM-^@M-^] (the default) then only addresses If this option is set to M-bM-^@M-^\noM-bM-^@M-^] (the default) then only addresses
and not host names may be used in ~/.ssh/known_hosts from and and not host names may be used in ~/.ssh/known_hosts from and
sshd_config(5) Match Host directives. sshd_config Match Host directives.
UseLogin UseLogin
Specifies whether login(1) is used for interactive login Specifies whether login(1) is used for interactive login
@ -1049,4 +1049,4 @@ AUTHORS
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation. for privilege separation.
OpenBSD 5.8 August 6, 2015 OpenBSD 5.8 OpenBSD 5.8 August 14, 2015 OpenBSD 5.8

10
sshd_config.5
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.210 2015/08/06 14:53:21 deraadt Exp $ .\" $OpenBSD: sshd_config.5,v 1.211 2015/08/14 15:32:41 jmc Exp $
.Dd $Mdocdate: August 6 2015 $ .Dd $Mdocdate: August 14 2015 $
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@ -476,9 +476,9 @@ chacha20-poly1305@openssh.com
.Pp .Pp
The default is: The default is:
.Bd -literal -offset indent .Bd -literal -offset indent
chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr, aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-gcm@openssh.com,aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
.Ed .Ed
.Pp .Pp
The list of available ciphers may also be obtained using the The list of available ciphers may also be obtained using the
@ -1528,7 +1528,7 @@ If this option is set to
.Pa ~/.ssh/known_hosts .Pa ~/.ssh/known_hosts
.Cm from .Cm from
and and
.Xr sshd_config 5 .Nm
.Cm Match .Cm Match
.Cm Host .Cm Host
directives. directives.

3
sshkey.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshkey.c,v 1.20 2015/07/03 03:43:18 djm Exp $ */ /* $OpenBSD: sshkey.c,v 1.21 2015/08/19 23:19:01 djm Exp $ */
/* /*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@ -1556,7 +1556,6 @@ dsa_generate_private_key(u_int bits, DSA **dsap)
*dsap = NULL; *dsap = NULL;
if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL,
NULL, NULL) || !DSA_generate_key(private)) { NULL, NULL) || !DSA_generate_key(private)) {
DSA_free(private);
ret = SSH_ERR_LIBCRYPTO_ERROR; ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out; goto out;
} }

4
version.h
View File

@ -1,6 +1,6 @@
/* $OpenBSD: version.h,v 1.74 2015/08/02 09:56:42 djm Exp $ */ /* $OpenBSD: version.h,v 1.75 2015/08/21 03:45:26 djm Exp $ */
#define SSH_VERSION "OpenSSH_7.0" #define SSH_VERSION "OpenSSH_7.1"
#define SSH_PORTABLE "p1" #define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE #define SSH_RELEASE SSH_VERSION SSH_PORTABLE