assar
4e2eb78eca
Add code for being compatible with ssh.com's krb5 authentication.
...
It is done by using the same ssh messages for v4 and v5 authentication
(since the ssh.com does not now anything about v4) and looking at the
contents after unpacking it to see if it is v4 or v5.
Based on code from Björn Grönvall <bg@sics.se>
PR: misc/20504
2001-03-04 02:22:04 +00:00
ps
4abb31bd7d
Make ConnectionsPerPeriod non-fatal for real.
2001-02-18 01:33:31 +00:00
assar
e25a9ea1d2
update to new heimdal libkrb5
2001-02-13 16:58:04 +00:00
kris
94cb603894
Patches backported from later development version of OpenSSH which prevent
...
(instead of just mitigating through connection limits) the Bleichenbacher
attack which can lead to guessing of the server key (not host key) by
regenerating it when an RSA failure is detected.
Reviewed by: rwatson
2001-02-12 06:44:51 +00:00
green
c0460ef928
Correctly fill in the sun_len for a sockaddr_sun.
...
Submitted by: Alexander Leidinger <Alexander@leidinger.net>
2001-02-04 20:23:17 +00:00
green
007d3cc3ed
MFS: Don't use the canonical hostname here, too.
2001-02-04 20:16:14 +00:00
green
8ae23e3ef8
MFF: Make ConnectionsPerPeriod usage a warning, not fatal.
2001-02-04 20:15:53 +00:00
green
42801d85d9
Actually propagate back to the rest of the application that a command
...
was specified when using -t mode with the SSH client.
Submitted by: Dima Dorfman <dima@unixfreak.org>
2001-01-21 05:45:27 +00:00
green
759414f218
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it
...
and giving a dire error to its lingering users.
2001-01-13 07:57:43 +00:00
green
a121b36822
Fix a long-standing bug that resulted in a dropped session sometimes
...
when an X11-forwarded client was closed. For some reason, sshd didn't
disable the SIGPIPE exit handler and died a horrible death (well, okay,
a silent death really). Set SIGPIPE's handler to SIG_IGN.
2001-01-06 21:15:07 +00:00
green
ab6b35a1d6
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0
...
new features description elided in favor of checking out their
website.
Important new FreeBSD-version stuff: PAM support has been worked
in, partially from the "Unix" OpenSSH version, and a lot due to the
work of Eivind Eklend, too.
This requires at least the following in pam.conf:
sshd auth sufficient pam_skey.so
sshd auth required pam_unix.so try_first_pass
sshd session required pam_permit.so
Parts by: Eivind Eklend <eivind@FreeBSD.org>
2000-12-05 02:55:12 +00:00
green
6202ac1614
Forgot to remove the old line in the last commit.
2000-12-05 02:41:01 +00:00
green
1c5144a169
This commit was generated by cvs2svn to compensate for changes in r69587,
...
which included commits to RCS files with non-trunk default branches.
2000-12-05 02:20:19 +00:00
green
2aecee364f
Import of OpenSSH 2.3.0 (virgin OpenBSD source release).
2000-12-05 02:20:19 +00:00
brian
17a750ff36
Remove duplicate line
...
Not responded to by: kris, then green
2000-12-04 22:57:53 +00:00
green
163406c6e5
In env_destroy(), it is a bad idea to env_swap(self, 0) to switch
...
back to the original environ unconditionally. The setting of the
variable to save the previous environ is conditional; it happens when
ENV.e_committed is set. Therefore, don't try to swap the env back
unless the previous env has been initialized.
PR: bin/22670
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
2000-11-25 02:00:35 +00:00
billf
de5ab7abc1
Correct an arguement to ssh_add_identity, this matches what is currently
...
in ports/security/openssh/files/pam_ssh.c
PR: 22164
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
Reviewed by: green
Approved by: green
2000-11-25 01:55:42 +00:00
green
0bc5843790
Add login_cap and login_access support. Previously, these FreeBSD-local
...
checks were only made when using the 1.x protocol.
2000-11-14 04:35:03 +00:00
green
100d82038d
Import a security fix: the client would allow a server to use its
...
ssh-agent or X11 forwarding even if it was disabled.
This is the vendor fix provided, not an actual revision of clientloop.c.
Submitted by: Markus Friedl <markus@OpenBSD.org> via kris
2000-11-14 03:51:53 +00:00
green
fb253173ae
This commit was generated by cvs2svn to compensate for changes in r68700,
...
which included commits to RCS files with non-trunk default branches.
2000-11-14 03:51:53 +00:00
green
3c8715d5d7
Fix a few style oddities.
2000-09-10 18:04:12 +00:00
green
bb24bb397b
Fix a goof in timevaldiff.
2000-09-10 18:03:46 +00:00
kris
c5a4794750
Remove files no longer present in OpenSSH 2.2.0 and beyond
2000-09-10 10:26:07 +00:00
kris
24372e6c10
Resolve conflicts and update for OpenSSH 2.2.0
...
Reviewed by: gshapiro, peter, green
2000-09-10 09:35:38 +00:00
kris
0ca2bdc2f7
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09
2000-09-10 08:31:17 +00:00
kris
f2912c8208
This commit was generated by cvs2svn to compensate for changes in r65668,
...
which included commits to RCS files with non-trunk default branches.
2000-09-10 08:31:17 +00:00
kris
e4a753d311
Nuke RSAREF support from orbit.
...
It's the only way to be sure.
2000-09-10 00:09:37 +00:00
kris
2450bc1f18
ttyname was not being passed into do_login(), so we were erroneously picking
...
up the function definition from unistd.h instead. Use s->tty instead.
Submitted by: peter
2000-09-04 08:43:05 +00:00
kris
175e5fe4dd
bzero() the struct timeval for paranoia
...
Submitted by: gshapiro
2000-09-03 07:58:35 +00:00
kris
868b20c6a8
Err, we weren't even compiling auth1.c with LOGIN_CAP at all. Guess nobody
...
was using this feature.
2000-09-02 07:32:05 +00:00
kris
458b9e5882
Repair a broken conflict resolution in r1.2 which had the effect of nullifying
...
the login_cap and login.access checks for whether a user/host is allowed
access to the system for users other than root. But since we currently don't
have a similar check in the ssh2 code path anyway, it's um, "okay".
Submitted by: gshapiro
2000-09-02 05:40:50 +00:00
kris
8b99f6e1dc
Repair my dyslexia: s/opt/otp/ in the OPIE challenge. D'oh!
...
Submitted by: gshapiro
2000-09-02 04:41:33 +00:00
kris
6eee534256
Re-add missing "break" which was lost during a previous patch
...
integration. This currently has no effect.
Submitted by: gshapiro
2000-09-02 04:37:51 +00:00
kris
42ae81df48
Turn on X11Forwarding by default on the server. Any risk is to the client,
...
where it is already disabled by default.
Reminded by: peter
2000-09-02 03:49:22 +00:00
kris
3ae9606341
Increase the default value of LoginGraceTime from 60 seconds to 120
...
seconds.
PR: 20488
Submitted by: rwatson
2000-08-23 09:47:25 +00:00
kris
aba57a02e8
Respect X11BASE to derive the location of xauth(1)
...
PR: 17818
Submitted by: Bjoern Fischer <bfischer@Techfak.Uni-Bielefeld.DE>
2000-08-23 09:39:20 +00:00
asmodai
5209950187
Chalk up another phkmalloc victim.
...
It seems as if uninitialised memory was the culprit.
We may want to contribute this back to the OpenSSH project.
Submitted by: Alexander Leidinger <Alexander@Leidinger.net> on -current.
2000-08-01 08:07:15 +00:00
asmodai
0a6c762555
Fix a weird typo, is -> are.
...
The OpenSSH maintainer probably want to contribute this back to the
real OpenSSH guys.
Submitted by: Jon Perkin <sketchy@netcraft.com>
2000-07-27 19:21:15 +00:00
marko
1dcee686be
Fixed a minor typo in the header.
...
Pointed out by: asmodai
2000-07-27 17:21:07 +00:00
marko
674af77794
Committed, Thanks!!
...
PR: 20108
Submitted by: Doug Lee
2000-07-25 16:49:48 +00:00
peter
d9df5f65de
Sync sshd_config with sshd and manapage internal defaults (Checkmail = yes)
2000-07-11 09:54:24 +00:00
peter
5f6efaa063
Sync LoginGraceTime with sshd_config = 60 seconds by default, not 600.
2000-07-11 09:52:14 +00:00
peter
772dd17b51
Fix out-of-sync defaults. PermitRootLogin is supposed to be 'no' but
...
sshd's internal default was 'yes'. (if some cracker managed to trash
/etc/ssh/sshd_config, then root logins could be reactivated)
Approved by: kris
2000-07-11 09:50:15 +00:00
peter
adeace1395
Make FallBackToRsh off by default. Falling back to rsh by default is
...
silly in this day and age.
Approved by: kris
2000-07-11 09:39:34 +00:00
green
be6e69fbed
Allow restarting on SIGHUP when the full path was not given as argv[0].
...
We do have /proc/curproc/file :)
2000-07-04 06:43:26 +00:00
green
26efc47d38
So /this/ is what has made OpenSSH's SSHv2 support never work right!
...
In some cases, limits did not get set to the proper class, but
instead always to "default", because not all passwd copies were
done to completion.
2000-06-27 21:16:06 +00:00
green
71e9ee0209
Also make sure to close the socket that exceeds your rate limit.
2000-06-26 23:39:26 +00:00
green
9bccae4f2e
Make rate limiting work per-listening-socket. Log better messages than
...
before for this, requiring a new function (get_ipaddr()). canohost.c
receives a $FreeBSD$ line.
Suggested by: Niels Provos <niels@OpenBSD.org>
2000-06-26 05:44:23 +00:00
kris
4f57b24cfd
Fix syntax error in previous commit.
...
Submitted by: Udo Schweigert <ust@cert.siemens.de>
2000-06-11 21:41:25 +00:00
kris
ad6da2a572
Fix security botch in "UseLogin Yes" case: commands are executed with
...
uid 0.
Obtained from: OpenBSD
2000-06-10 22:32:57 +00:00