10267 lines
303 KiB
Plaintext
10267 lines
303 KiB
Plaintext
commit 4a354fc231174901f2629437c2a6e924a2dd6772
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Dec 19 15:59:26 2016 +1100
|
|
|
|
crank version numbers for release
|
|
|
|
commit 5f8d0bb8413d4d909cc7aa3c616fb0538224c3c9
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 19 04:55:51 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
openssh-7.4
|
|
|
|
Upstream-ID: 1ee404adba6bbe10ae9277cbae3a94abe2867b79
|
|
|
|
commit 3a8213ea0ed843523e34e55ab9c852332bab4c7b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 19 04:55:18 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
remove testcase that depends on exact output and
|
|
behaviour of snprintf(..., "%s", NULL)
|
|
|
|
Upstream-Regress-ID: cab4288531766bd9593cb556613b91a2eeefb56f
|
|
|
|
commit eae735a82d759054f6ec7b4e887fb7a5692c66d7
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon Dec 19 03:32:57 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Use LOGNAME to get current user and fall back to whoami if
|
|
not set. Mainly to benefit -portable since some platforms don't have whoami.
|
|
|
|
Upstream-Regress-ID: e3a16b7836a3ae24dc8f8a4e43fdf8127a60bdfa
|
|
|
|
commit 0d2f88428487518eea60602bd593989013831dcf
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Dec 16 03:51:19 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Add regression test for AllowUsers and DenyUsers. Patch from
|
|
Zev Weiss <zev at bewilderbeest.net>
|
|
|
|
Upstream-Regress-ID: 8f1aac24d52728398871dac14ad26ea38b533fb9
|
|
|
|
commit 3bc8180a008929f6fe98af4a56fb37d04444b417
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Dec 16 15:02:24 2016 +1100
|
|
|
|
Add missing monitor.h include.
|
|
|
|
Fixes warning pointed out by Zev Weiss <zev at bewilderbeest.net>
|
|
|
|
commit 410681f9015d76cc7b137dd90dac897f673244a0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Dec 16 02:48:55 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
revert to rev1.2; the new bits in this test depend on changes
|
|
to ssh that aren't yet committed
|
|
|
|
Upstream-Regress-ID: 828ffc2c7afcf65d50ff2cf3dfc47a073ad39123
|
|
|
|
commit 2f2ffa4fbe4b671bbffa0611f15ba44cff64d58e
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Dec 16 01:06:27 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Move the "stop sshd" code into its own helper function.
|
|
Patch from Zev Weiss <zev at bewilderbeest.net>, ok djm@
|
|
|
|
Upstream-Regress-ID: a113dea77df5bd97fb4633ea31f3d72dbe356329
|
|
|
|
commit e15e7152331e3976b35475fd4e9c72897ad0f074
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Dec 16 01:01:07 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
regression test for certificates along with private key
|
|
with no public half. bz#2617, mostly from Adam Eijdenberg
|
|
|
|
Upstream-Regress-ID: 2e74dc2c726f4dc839609b3ce045466b69f01115
|
|
|
|
commit 9a70ec085faf6e55db311cd1a329f1a35ad2a500
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Dec 15 23:50:37 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Use $SUDO to read pidfile in case root's umask is
|
|
restricted. From portable.
|
|
|
|
Upstream-Regress-ID: f6b1c7ffbc5a0dfb7d430adb2883344899174a98
|
|
|
|
commit fe06b68f824f8f55670442fb31f2c03526dd326c
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Dec 15 21:29:05 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Add missing braces in DenyUsers code. Patch from zev at
|
|
bewilderbeest.net, ok deraadt@
|
|
|
|
Upstream-ID: d747ace338dcf943b077925f90f85f789714b54e
|
|
|
|
commit dcc7d74242a574fd5c4afbb4224795b1644321e7
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Dec 15 21:20:41 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix text in error message. Patch from zev at
|
|
bewilderbeest.net.
|
|
|
|
Upstream-ID: deb0486e175e7282f98f9a15035d76c55c84f7f6
|
|
|
|
commit b737e4d7433577403a31cff6614f6a1b0b5e22f4
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Dec 14 00:36:34 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
disable Unix-domain socket forwarding when privsep is
|
|
disabled
|
|
|
|
Upstream-ID: ab61516ae0faadad407857808517efa900a0d6d0
|
|
|
|
commit 08a1e7014d65c5b59416a0e138c1f73f417496eb
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Dec 9 03:04:29 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
log connections dropped in excess of MaxStartups at
|
|
verbose LogLevel; bz#2613 based on diff from Tomas Kuthan; ok dtucker@
|
|
|
|
Upstream-ID: 703ae690dbf9b56620a6018f8a3b2389ce76d92b
|
|
|
|
commit 10e290ec00964b2bf70faab15a10a5574bb80527
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Dec 13 13:51:32 2016 +1100
|
|
|
|
Get default of TEST_SSH_UTF8 from environment.
|
|
|
|
commit b9b8ba3f9ed92c6220b58d70d1e6d8aa3eea1104
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Dec 13 12:56:40 2016 +1100
|
|
|
|
Remove commented-out includes.
|
|
|
|
These commented-out includes have "Still needed?" comments. Since
|
|
they've been commented out for ~13 years I assert that they're not.
|
|
|
|
commit 25275f1c9d5f01a0877d39444e8f90521a598ea0
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Dec 13 12:54:23 2016 +1100
|
|
|
|
Add prototype for strcasestr in compat library.
|
|
|
|
commit afec07732aa2985142f3e0b9a01eb6391f523dec
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Dec 13 10:23:03 2016 +1100
|
|
|
|
Add strcasestr to compat library.
|
|
|
|
Fixes build on (at least) Solaris 10.
|
|
|
|
commit dda78a03af32e7994f132d923c2046e98b7c56c8
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Dec 12 13:57:10 2016 +1100
|
|
|
|
Force Turkish locales back to C/POSIX; bz#2643
|
|
|
|
Turkish locales are unique in their handling of the letters 'i' and
|
|
'I' (yes, they are different letters) and OpenSSH isn't remotely
|
|
prepared to deal with that. For now, the best we can do is to force
|
|
OpenSSH to use the C/POSIX locale and try to preserve the UTF-8
|
|
encoding if possible.
|
|
|
|
ok dtucker@
|
|
|
|
commit c35995048f41239fc8895aadc3374c5f75180554
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Dec 9 12:52:02 2016 +1100
|
|
|
|
exit is in stdlib.h not unistd.h (that's _exit).
|
|
|
|
commit d399a8b914aace62418c0cfa20341aa37a192f98
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Dec 9 12:33:25 2016 +1100
|
|
|
|
Include <unistd.h> for exit in utf8 locale test.
|
|
|
|
commit 47b8c99ab3221188ad3926108dd9d36da3b528ec
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Dec 8 15:48:34 2016 +1100
|
|
|
|
Check for utf8 local support before testing it.
|
|
|
|
Check for utf8 local support and if not found, do not attempt to run the
|
|
utf8 tests. Suggested by djm@
|
|
|
|
commit 4089fc1885b3a2822204effbb02b74e3da58240d
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Dec 8 12:57:24 2016 +1100
|
|
|
|
Use AC_PATH_TOOL for krb5-config.
|
|
|
|
This will use the host-prefixed version when cross compiling; patch from
|
|
david.michael at coreos.com.
|
|
|
|
commit b4867e0712c89b93be905220c82f0a15e6865d1e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Dec 6 07:48:01 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
make IdentityFile successfully load and use certificates that
|
|
have no corresponding bare public key. E.g. just a private id_rsa and
|
|
certificate id_rsa-cert.pub (and no id_rsa.pub).
|
|
|
|
bz#2617 ok dtucker@
|
|
|
|
Upstream-ID: c1e9699b8c0e3b63cc4189e6972e3522b6292604
|
|
|
|
commit c9792783a98881eb7ed295680013ca97a958f8ac
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Nov 25 14:04:21 2016 +1100
|
|
|
|
Add a gnome-ssh-askpass3 target for GTK+3 version
|
|
|
|
Based on patch from Colin Watson via bz#2640
|
|
|
|
commit 7be85ae02b9de0993ce0a1d1e978e11329f6e763
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Nov 25 14:03:53 2016 +1100
|
|
|
|
Make gnome-ssh-askpass2.c GTK+3-friendly
|
|
|
|
Patch from Colin Watson via bz#2640
|
|
|
|
commit b9844a45c7f0162fd1b5465683879793d4cc4aaa
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Dec 4 23:54:02 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix public key authentication when multiple
|
|
authentication is in use. Instead of deleting and re-preparing the entire
|
|
keys list, just reset the 'used' flags; the keys list is already in a good
|
|
order (with already- tried keys at the back)
|
|
|
|
Analysis and patch from Vincent Brillault on bz#2642; ok dtucker@
|
|
|
|
Upstream-ID: 7123f12dc2f3bcaae715853035a97923d7300176
|
|
|
|
commit f2398eb774075c687b13af5bc22009eb08889abe
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Sun Dec 4 22:27:25 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Unlink PidFile on SIGHUP and always recreate it when the
|
|
new sshd starts. Regression tests (and possibly other things) depend on the
|
|
pidfile being recreated after SIGHUP, and unlinking it means it won't contain
|
|
a stale pid if sshd fails to restart. ok djm@ markus@
|
|
|
|
Upstream-ID: 132dd6dda0c77dd49d2f15b2573b5794f6160870
|
|
|
|
commit 85aa2efeba51a96bf6834f9accf2935d96150296
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Nov 30 03:01:33 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
test new behaviour of cert force-command restriction vs.
|
|
authorized_key/ principals
|
|
|
|
Upstream-Regress-ID: 399efa7469d40c404c0b0a295064ce75d495387c
|
|
|
|
commit 5d333131cd8519d022389cfd3236280818dae1bc
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Wed Nov 30 06:54:26 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
tweak previous; while here fix up FILES and AUTHORS;
|
|
|
|
Upstream-ID: 93f6e54086145a75df8d8ec7d8689bdadbbac8fa
|
|
|
|
commit 786d5994da79151180cb14a6cf157ebbba61c0cc
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Nov 30 03:07:37 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
add a whitelist of paths from which ssh-agent will load
|
|
(via ssh-pkcs11-helper) a PKCS#11 module; ok markus@
|
|
|
|
Upstream-ID: fe79769469d9cd6d26fe0dc15751b83ef2a06e8f
|
|
|
|
commit 7844f357cdd90530eec81340847783f1f1da010b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Nov 30 03:00:05 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Add a sshd_config DisableForwaring option that disables
|
|
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
|
|
anything else we might implement in the future.
|
|
|
|
This, like the 'restrict' authorized_keys flag, is intended to be a
|
|
simple and future-proof way of restricting an account. Suggested as
|
|
a complement to 'restrict' by Jann Horn; ok markus@
|
|
|
|
Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
|
|
|
|
commit fd6dcef2030d23c43f986d26979f84619c10589d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Nov 30 02:57:40 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
When a forced-command appears in both a certificate and
|
|
an authorized keys/principals command= restriction, refuse to accept the
|
|
certificate unless they are identical.
|
|
|
|
The previous (documented) behaviour of having the certificate forced-
|
|
command override the other could be a bit confused and more error-prone.
|
|
|
|
Pointed out by Jann Horn of Project Zero; ok dtucker@
|
|
|
|
Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
|
|
|
|
commit 7fc4766ac78abae81ee75b22b7550720bfa28a33
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Nov 30 00:28:31 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
On startup, check to see if sshd is already daemonized
|
|
and if so, skip the call to daemon() and do not rewrite the PidFile. This
|
|
means that when sshd re-execs itself on SIGHUP the process ID will no longer
|
|
change. Should address bz#2641. ok djm@ markus@.
|
|
|
|
Upstream-ID: 5ea0355580056fb3b25c1fd6364307d9638a37b9
|
|
|
|
commit c9f880c195c65f1dddcbc4ce9d6bfea7747debcc
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Nov 30 13:51:49 2016 +1100
|
|
|
|
factor out common PRNG reseed before privdrop
|
|
|
|
Add a call to RAND_poll() to ensure than more than pid+time gets
|
|
stirred into child processes states. Prompted by analysis from Jann
|
|
Horn at Project Zero. ok dtucker@
|
|
|
|
commit 79e4829ec81dead1b30999e1626eca589319a47f
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Nov 25 03:02:01 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Allow PuTTY interop tests to run unattended. bz#2639,
|
|
patch from cjwatson at debian.org.
|
|
|
|
Upstream-Regress-ID: 4345253558ac23b2082aebabccd48377433b6fe0
|
|
|
|
commit 504c3a9a1bf090f6b27260fc3e8ea7d984d163dc
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Nov 25 02:56:49 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Reverse args to sshd-log-wrapper. Matches change in
|
|
portable, where it allows sshd do be optionally run under Valgrind.
|
|
|
|
Upstream-Regress-ID: b438d1c6726dc5caa2a45153e6103a0393faa906
|
|
|
|
commit bd13017736ec2f8f9ca498fe109fb0035f322733
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Nov 25 02:49:18 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix typo in trace message; from portable.
|
|
|
|
Upstream-Regress-ID: 4c4a2ba0d37faf5fd230a91b4c7edb5699fbd73a
|
|
|
|
commit 7da751d8b007c7f3e814fd5737c2351440d78b4c
|
|
Author: tb@openbsd.org <tb@openbsd.org>
|
|
Date: Tue Nov 1 13:43:27 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Clean up MALLOC_OPTIONS. For the unittests, move
|
|
MALLOC_OPTIONS and TEST_ENV to unittets/Makefile.inc.
|
|
|
|
ok otto
|
|
|
|
Upstream-Regress-ID: 890d497e0a38eeddfebb11cc429098d76cf29f12
|
|
|
|
commit 36f58e68221bced35e06d1cca8d97c48807a8b71
|
|
Author: tb@openbsd.org <tb@openbsd.org>
|
|
Date: Mon Oct 31 23:45:08 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Remove the obsolete A and P flags from MALLOC_OPTIONS.
|
|
|
|
ok dtucker
|
|
|
|
Upstream-Regress-ID: 6cc25024c8174a87e5734a0dc830194be216dd59
|
|
|
|
commit b0899ee26a6630883c0f2350098b6a35e647f512
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue Nov 29 03:54:50 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Factor out code to disconnect from controlling terminal
|
|
into its own function. ok djm@
|
|
|
|
Upstream-ID: 39fd9e8ebd7222615a837312face5cc7ae962885
|
|
|
|
commit 54d022026aae4f53fa74cc636e4a032d9689b64d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Nov 25 23:24:45 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
use sshbuf_allocate() to pre-allocate the buffer used for
|
|
loading keys. This avoids implicit realloc inside the buffer code, which
|
|
might theoretically leave fragments of the key on the heap. This doesn't
|
|
appear to happen in practice for normal sized keys, but was observed for
|
|
novelty oversize ones.
|
|
|
|
Pointed out by Jann Horn of Project Zero; ok markus@
|
|
|
|
Upstream-ID: d620e1d46a29fdea56aeadeda120879eddc60ab1
|
|
|
|
commit a9c746088787549bb5b1ae3add7d06a1b6d93d5e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Nov 25 23:22:04 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
split allocation out of sshbuf_reserve() into a separate
|
|
sshbuf_allocate() function; ok markus@
|
|
|
|
Upstream-ID: 11b8a2795afeeb1418d508a2c8095b3355577ec2
|
|
|
|
commit f0ddedee460486fa0e32fefb2950548009e5026e
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Nov 23 23:14:15 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
allow ClientAlive{Interval,CountMax} in Match; ok dtucker,
|
|
djm
|
|
|
|
Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55
|
|
|
|
commit 1a6f9d2e2493d445cd9ee496e6e3c2a2f283f66a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Nov 8 22:04:34 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
unbreak DenyUsers; reported by henning@
|
|
|
|
Upstream-ID: 1c67d4148f5e953c35acdb62e7c08ae8e33f7cb2
|
|
|
|
commit 010359b32659f455fddd2bd85fd7cc4d7a3b994a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Nov 6 05:46:37 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Validate address ranges for AllowUser/DenyUsers at
|
|
configuration load time and refuse to accept bad ones. It was previously
|
|
possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and
|
|
these would always match.
|
|
|
|
Thanks to Laurence Parry for a detailed bug report. ok markus (for
|
|
a previous diff version)
|
|
|
|
Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb
|
|
|
|
commit efb494e81d1317209256b38b49f4280897c61e69
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Oct 28 03:33:52 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Improve pkcs11_add_provider() logging: demote some
|
|
excessively verbose error()s to debug()s, include PKCS#11 provider name and
|
|
slot in log messages where possible. bz#2610, based on patch from Jakub Jelen
|
|
|
|
Upstream-ID: 3223ef693cfcbff9079edfc7e89f55bf63e1973d
|
|
|
|
commit 5ee3fb5affd7646f141749483205ade5fc54adaf
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Nov 1 08:12:33 2016 +1100
|
|
|
|
Use ptrace(PT_DENY_ATTACH, ..) on OS X.
|
|
|
|
commit 315d2a4e674d0b7115574645cb51f968420ebb34
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Oct 28 14:34:07 2016 +1100
|
|
|
|
Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL
|
|
|
|
ok dtucker@
|
|
|
|
commit a9ff3950b8e80ff971b4d44bbce96df27aed28af
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Oct 28 14:26:58 2016 +1100
|
|
|
|
Move OPENSSL_NO_RIPEMD160 to compat.
|
|
|
|
Move OPENSSL_NO_RIPEMD160 to compat and add ifdefs to mac.c around the
|
|
ripemd160 MACs.
|
|
|
|
commit bce58885160e5db2adda3054c3b81fe770f7285a
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Oct 28 13:52:31 2016 +1100
|
|
|
|
Check if RIPEMD160 is disabled in OpenSSL.
|
|
|
|
commit d924640d4c355d1b5eca1f4cc60146a9975dbbff
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Oct 28 13:38:19 2016 +1100
|
|
|
|
Skip ssh1 specfic ciphers.
|
|
|
|
cipher-3des1.c and cipher-bf1.c are specific to sshv1 so don't even try
|
|
to compile them when Protocol 1 is not enabled.
|
|
|
|
commit 79d078e7a49caef746516d9710ec369ba45feab6
|
|
Author: jsg@openbsd.org <jsg@openbsd.org>
|
|
Date: Tue Oct 25 04:08:13 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix logic in add_local_forward() that inverted a test
|
|
when code was refactored out into bind_permitted(). This broke ssh port
|
|
forwarding for non-priv ports as a non root user.
|
|
|
|
ok dtucker@ 'looks good' deraadt@
|
|
|
|
Upstream-ID: ddb8156ca03cc99997de284ce7777536ff9570c9
|
|
|
|
commit a903e315dee483e555c8a3a02c2946937f9b4e5d
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon Oct 24 01:09:17 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Remove dead breaks, found via opencoverage.net. ok
|
|
deraadt@
|
|
|
|
Upstream-ID: ad9cc655829d67fad219762810770787ba913069
|
|
|
|
commit b4e96b4c9bea4182846e4942ba2048e6d708ee54
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Oct 26 08:43:25 2016 +1100
|
|
|
|
Use !=NULL instead of >0 for getdefaultproj.
|
|
|
|
getdefaultproj() returns a pointer so test it for NULL inequality
|
|
instead of >0. Fixes compiler warning and is more correct. Patch from
|
|
David Binderman.
|
|
|
|
commit 1c4ef0b808d3d38232aeeb1cebb7e9a43def42c5
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Sun Oct 23 22:04:05 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Factor out "can bind to low ports" check into its own function. This will
|
|
make it easier for Portable to support platforms with permissions models
|
|
other than uid==0 (eg bz#2625). ok djm@, "doesn't offend me too much"
|
|
deraadt@.
|
|
|
|
Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface
|
|
|
|
commit 0b9ee623d57e5de7e83e66fd61a7ba9a5be98894
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Oct 19 23:21:56 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
When tearing down ControlMaster connecctions, don't
|
|
pollute stderr when LogLevel=quiet. Patch from Tim Kuijsten via tech@.
|
|
|
|
Upstream-ID: d9b3a68b2a7c2f2fc7f74678e29a4618d55ceced
|
|
|
|
commit 09e6a7d8354224933febc08ddcbc2010f542284e
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Oct 24 09:06:18 2016 +1100
|
|
|
|
Wrap stdint.h include in ifdef.
|
|
|
|
commit 08d9e9516e587b25127545c029e5464b2e7f2919
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Oct 21 09:46:46 2016 +1100
|
|
|
|
Fix formatting.
|
|
|
|
commit 461f50e7ab8751d3a55e9158c44c13031db7ba1d
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Oct 21 06:55:58 2016 +1100
|
|
|
|
Update links to https.
|
|
|
|
www.openssh.com now supports https and ftp.openbsd.org no longer
|
|
supports ftp. Make all links to these https.
|
|
|
|
commit dd4e7212a6141f37742de97795e79db51e4427ad
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Oct 21 06:48:46 2016 +1100
|
|
|
|
Update host key generation examples.
|
|
|
|
Remove ssh1 host key generation, add ssh-keygen -A
|
|
|
|
commit 6d49ae82634c67e9a4d4af882bee20b40bb8c639
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Oct 21 05:22:55 2016 +1100
|
|
|
|
Update links.
|
|
|
|
Make links to openssh.com HTTPS now that it's supported, point release
|
|
notes link to the HTML release notes page, and update a couple of other
|
|
links and bits of text.
|
|
|
|
commit fe0d1ca6ace06376625084b004ee533f2c2ea9d6
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Oct 20 03:42:09 2016 +1100
|
|
|
|
Remote channels .orig and .rej files.
|
|
|
|
These files were incorrectly added during an OpenBSD sync.
|
|
|
|
commit 246aa842a4ad368d8ce030495e657ef3a0e1f95c
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue Oct 18 17:32:54 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Remove channel_input_port_forward_request(); the only caller
|
|
was the recently-removed SSH1 server code so it's now dead code. ok markus@
|
|
|
|
Upstream-ID: 05453983230a1f439562535fec2818f63f297af9
|
|
|
|
commit 2c6697c443d2c9c908260eed73eb9143223e3ec9
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Tue Oct 18 12:41:22 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Install a signal handler for tty-generated signals and
|
|
wait for the ssh child to suspend before suspending sftp. This lets ssh
|
|
restore the terminal mode as needed when it is suspended at the password
|
|
prompt. OK dtucker@
|
|
|
|
Upstream-ID: a31c1f42aa3e2985dcc91e46e6a17bd22e372d69
|
|
|
|
commit fd2a8f1033fa2316fff719fd5176968277560158
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Sat Oct 15 19:56:25 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
various formatting fixes, specifically removing Dq;
|
|
|
|
Upstream-ID: 81e85df2b8e474f5f93d66e61d9a4419ce87347c
|
|
|
|
commit 8f866d8a57b9a2dc5dd04504e27f593b551618e3
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Oct 19 03:26:09 2016 +1100
|
|
|
|
Import readpassphrase.c rev 1.26.
|
|
|
|
Author: miller@openbsd.org:
|
|
Avoid generate SIGTTOU when restoring the terminal mode. If we get
|
|
SIGTTOU it means the process is not in the foreground process group
|
|
which, in most cases, means that the shell has taken control of the tty.
|
|
Requiring the user the fg the process in this case doesn't make sense
|
|
and can result in both SIGTSTP and SIGTTOU being sent which can lead to
|
|
the process being suspended again immediately after being brought into
|
|
the foreground.
|
|
|
|
commit f901440cc844062c9bab0183d133f7ccc58ac3a5
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Oct 19 03:23:16 2016 +1100
|
|
|
|
Import readpassphrase.c rev 1.25.
|
|
|
|
Wrap <readpassphrase.h> so internal calls go direct and
|
|
readpassphrase is weak.
|
|
|
|
(DEF_WEAK is a no-op in portable.)
|
|
|
|
commit 032147b69527e5448a511049b2d43dbcae582624
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Oct 15 05:51:12 2016 +1100
|
|
|
|
Move DEF_WEAK into defines.h.
|
|
|
|
As well pull in more recent changes from OpenBSD these will start to
|
|
arrive so put it where the definition is shared.
|
|
|
|
commit e0259a82ddd950cfb109ddee86fcebbc09c6bd04
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Oct 15 04:34:46 2016 +1100
|
|
|
|
Remove do_pam_set_tty which is dead code.
|
|
|
|
The callers of do_pam_set_tty were removed in 2008, so this is now dead
|
|
code. bz#2604, pointed out by jjelen at redhat.com.
|
|
|
|
commit ca04de83f210959ad2ed870a30ba1732c3ae00e3
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 13 18:53:43 2016 +1100
|
|
|
|
unbreak principals-command test
|
|
|
|
Undo inconsistetly updated variable name.
|
|
|
|
commit 1723ec92eb485ce06b4cbf49712d21975d873909
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Oct 11 21:49:54 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix the KEX fuzzer - the previous method of obtaining the
|
|
packet contents was broken. This now uses the new per-packet input hook, so
|
|
it sees exact post-decrypt packets and doesn't have to pass packet integrity
|
|
checks. ok markus@
|
|
|
|
Upstream-Regress-ID: 402fb6ffabd97de590e8e57b25788949dce8d2fd
|
|
|
|
commit 09f997893f109799cddbfce6d7e67f787045cbb2
|
|
Author: natano@openbsd.org <natano@openbsd.org>
|
|
Date: Thu Oct 6 09:31:38 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Move USER out of the way to unbreak the BUILDUSER
|
|
mechanism. ok tb
|
|
|
|
Upstream-Regress-ID: 74ab9687417dd071d62316eaadd20ddad1d5af3c
|
|
|
|
commit 3049a012c482a7016f674db168f23fd524edce27
|
|
Author: bluhm@openbsd.org <bluhm@openbsd.org>
|
|
Date: Fri Sep 30 11:55:20 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
In ssh tests set REGRESS_FAIL_EARLY with ?= so that the
|
|
environment can change it. OK djm@
|
|
|
|
Upstream-Regress-ID: 77bcb50e47b68c7209c7f0a5a020d73761e5143b
|
|
|
|
commit 39af7b444db28c1cb01b7ea468a4f574a44f375b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Oct 11 21:47:45 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Add a per-packet input hook that is called with the
|
|
decrypted packet contents. This will be used for fuzzing; ok markus@
|
|
|
|
Upstream-ID: a3221cee6b1725dd4ae1dd2c13841b4784cb75dc
|
|
|
|
commit ec165c392ca54317dbe3064a8c200de6531e89ad
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Oct 10 19:28:48 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Unregister the KEXINIT handler after message has been
|
|
received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
|
|
allocation of up to 128MB -- until the connection is closed. Reported by
|
|
shilei-c at 360.cn
|
|
|
|
Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
|
|
|
|
commit 29d40319392e6e19deeca9d45468aa1119846e50
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Oct 13 04:07:20 2016 +1100
|
|
|
|
Import rev 1.24 from OpenBSD.
|
|
|
|
revision 1.24
|
|
date: 2013/11/24 23:51:29; author: deraadt; state: Exp; lines: +4 -4;
|
|
most obvious unsigned char casts for ctype
|
|
ok jca krw ingo
|
|
|
|
commit 12069e56221de207ed666c2449dedb431a2a7ca2
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Oct 13 04:04:44 2016 +1100
|
|
|
|
Import rev 1.23 from OpenBSD. Fixes bz#2619.
|
|
|
|
revision 1.23
|
|
date: 2010/05/14 13:30:34; author: millert; state: Exp; lines: +41 -39;
|
|
Defer installing signal handlers until echo is disabled so that we
|
|
get suspended normally when not the foreground process. Fix potential
|
|
infinite loop when restoring terminal settings if process is in the
|
|
background when restore occurs. OK miod@
|
|
|
|
commit 7508d83eff89af069760b4cc587305588a64e415
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Oct 13 03:53:51 2016 +1100
|
|
|
|
If we don't have TCSASOFT, define it to zero.
|
|
|
|
This makes it a no-op when we use it below, which allows us to re-sync
|
|
those lines with the upstream and make future updates easier.
|
|
|
|
commit aae4dbd4c058d3b1fe1eb5c4e6ddf35827271377
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Fri Oct 7 14:41:52 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
tidy up the formatting in this file. more specifically,
|
|
replace .Dq, which looks appalling, with .Cm, where appropriate;
|
|
|
|
Upstream-ID: ff8e90aa0343d9bb56f40a535e148607973cc738
|
|
|
|
commit a571dbcc7b7b25371174569b13df5159bc4c6c7a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Oct 4 21:34:40 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
add a comment about implicitly-expected checks to
|
|
sshkey_ec_validate_public()
|
|
|
|
Upstream-ID: 74a7f71c28f7c13a50f89fc78e7863b9cd61713f
|
|
|
|
commit 2f78a2a698f4222f8e05cad57ac6e0c3d1faff00
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Sep 30 20:24:46 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix some -Wpointer-sign warnings in the new mux proxy; ok
|
|
markus@
|
|
|
|
Upstream-ID: b1ba7b3769fbc6b7f526792a215b0197f5e55dfd
|
|
|
|
commit ca71c36645fc26fcd739a8cfdc702cec85607761
|
|
Author: bluhm@openbsd.org <bluhm@openbsd.org>
|
|
Date: Wed Sep 28 20:09:52 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Add a makefile rule to create the ssh library when
|
|
regress needs it. This allows to run the ssh regression tests without doing
|
|
a "make build" before. Discussed with dtucker@ and djm@; OK djm@
|
|
|
|
Upstream-Regress-ID: ce489bd53afcd471225a125b4b94565d4717c025
|
|
|
|
commit ce44c970f913d2a047903dba8670554ac42fc479
|
|
Author: bluhm@openbsd.org <bluhm@openbsd.org>
|
|
Date: Mon Sep 26 21:34:38 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Allow to run ssh regression tests as root. If the user
|
|
is already root, the test should not expect that SUDO is set. If ssh needs
|
|
another user, use sudo or doas to switch from root if necessary. OK dtucker@
|
|
|
|
Upstream-Regress-ID: b464e55185ac4303529e3e6927db41683aaeace2
|
|
|
|
commit 8d0578478586e283e751ca51e7b0690631da139a
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Fri Sep 30 09:19:13 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux
|
|
client speaks the ssh-packet protocol directly over unix-domain socket. - mux
|
|
server acts as a proxy, translates channel IDs and relays to the server. - no
|
|
filedescriptor passing necessary. - combined with unix-domain forwarding it's
|
|
even possible to run mux client and server on different machines. feedback
|
|
& ok djm@
|
|
|
|
Upstream-ID: 666a2fb79f58e5c50e246265fb2b9251e505c25b
|
|
|
|
commit b7689155f3f5c4999846c07a852b1c7a43b09cec
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Sep 28 21:44:52 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
put back some pre-auth zlib bits that I shouldn't have
|
|
removed - they are still used by the client. Spotted by naddy@
|
|
|
|
Upstream-ID: 80919468056031037d56a1f5b261c164a6f90dc2
|
|
|
|
commit 4577adead6a7d600c8e764619d99477a08192c8f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Sep 28 20:32:42 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
restore pre-auth compression support in the client -- the
|
|
previous commit was intended to remove it from the server only.
|
|
|
|
remove a few server-side pre-auth compression bits that escaped
|
|
|
|
adjust wording of Compression directive in sshd_config(5)
|
|
|
|
pointed out by naddy@ ok markus@
|
|
|
|
Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
|
|
|
|
commit 80d1c963b4dc84ffd11d09617b39c4bffda08956
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Wed Sep 28 17:59:22 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
use a separate TOKENS section, as we've done for
|
|
sshd_config(5); help/ok djm
|
|
|
|
Upstream-ID: 640e32b5e4838e4363738cdec955084b3579481d
|
|
|
|
commit 1cfd5c06efb121e58e8b6671548fda77ef4b4455
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Sep 29 03:19:23 2016 +1000
|
|
|
|
Remove portability support for mmap
|
|
|
|
We no longer need to wrap/replace mmap for portability now that
|
|
pre-auth compression has been removed from OpenSSH.
|
|
|
|
commit 0082fba4efdd492f765ed4c53f0d0fbd3bdbdf7f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Sep 28 16:33:06 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Remove support for pre-authentication compression. Doing
|
|
compression early in the protocol probably seemed reasonable in the 1990s,
|
|
but today it's clearly a bad idea in terms of both cryptography (cf. multiple
|
|
compression oracle attacks in TLS) and attack surface.
|
|
|
|
Moreover, to support it across privilege-separation zlib needed
|
|
the assistance of a complex shared-memory manager that made the
|
|
required attack surface considerably larger.
|
|
|
|
Prompted by Guido Vranken pointing out a compiler-elided security
|
|
check in the shared memory manager found by Stack
|
|
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@
|
|
|
|
NB. pre-auth authentication has been disabled by default in sshd
|
|
for >10 years.
|
|
|
|
Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
|
|
|
|
commit 27c3a9c2aede2184856b5de1e6eca414bb751c38
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Sep 26 21:16:11 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Avoid a theoretical signed integer overflow should
|
|
BN_num_bytes() ever violate its manpage and return a negative value. Improve
|
|
order of tests to avoid confusing increasingly pedantic compilers.
|
|
|
|
Reported by Guido Vranken from stack (css.csail.mit.edu/stack)
|
|
unstable optimisation analyser output. ok deraadt@
|
|
|
|
Upstream-ID: f8508c830c86d8f36c113985e52bf8eedae23505
|
|
|
|
commit 8663e51c80c6aa3d750c6d3bcff6ee05091922be
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Sep 28 07:40:33 2016 +1000
|
|
|
|
fix mdoc2man.awk formatting for top-level lists
|
|
|
|
Reported by Glenn Golden
|
|
Diagnosis and fix from Ingo Schwarze
|
|
|
|
commit b97739dc21570209ed9d4e7beee0c669ed23b097
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Sep 22 21:15:41 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
missing bit from previous commit
|
|
|
|
Upstream-ID: 438d5ed6338b28b46e822eb13eee448aca31df37
|
|
|
|
commit de6a175a99d22444e10d19ad3fffef39bc3ee3bb
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Thu Sep 22 19:19:01 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
organise the token stuff into a separate section; ok
|
|
markus for an earlier version of the diff ok/tweaks djm
|
|
|
|
Upstream-ID: 81a6daa506a4a5af985fce7cf9e59699156527c8
|
|
|
|
commit 16277fc45ffc95e4ffc3d45971ff8320b974de2b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Sep 22 17:55:13 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
mention curve25519-sha256 KEX
|
|
|
|
Upstream-ID: 33ae1f433ce4795ffa6203761fbdf86e0d7ffbaf
|
|
|
|
commit 0493766d5676c7ca358824ea8d3c90f6047953df
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Sep 22 17:52:53 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
support plain curve25519-sha256 KEX algorithm now that it
|
|
is approaching standardisation (same algorithm is currently supported as
|
|
curve25519-sha256@libssh.org)
|
|
|
|
Upstream-ID: 5e2b6db2e72667048cf426da43c0ee3fc777baa2
|
|
|
|
commit f31c654b30a6f02ce0b8ea8ab81791b675489628
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Sep 22 02:29:57 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
If ssh receives a PACKET_DISCONNECT during userauth it
|
|
will cause ssh_dispatch_run(DISPATCH_BLOCK, ...) to return without the
|
|
session being authenticated. Check for this and exit if necessary. ok djm@
|
|
|
|
Upstream-ID: b3afe126c0839d2eae6cddd41ff2ba317eda0903
|
|
|
|
commit 1622649b7a829fc8dc313042a43a974f0f3e8a99
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Sep 21 19:53:12 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
correctly return errors from kex_send_ext_info(). Fix from
|
|
Sami Farin via https://github.com/openssh/openssh-portable/pull/50
|
|
|
|
Upstream-ID: c85999af28aaecbf92cfa2283381df81e839b42c
|
|
|
|
commit f83a0cfe16c7a73627b46a9a94e40087d60f32fb
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Sep 21 17:44:20 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
cast uint64_t for printf
|
|
|
|
Upstream-ID: 76d23e89419ccbd2320f92792a6d878211666ac1
|
|
|
|
commit 5f63ab474f58834feca4f35c498be03b7dd38a16
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Sep 21 17:03:54 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
disable tests for affirmative negated match after backout of
|
|
match change
|
|
|
|
Upstream-Regress-ID: acebb8e5042f03d66d86a50405c46c4de0badcfd
|
|
|
|
commit a5ad3a9db5a48f350f257a67b62fafd719ecb7e0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Sep 21 16:55:42 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Revert two recent changes to negated address matching. The
|
|
new behaviour offers unintuitive surprises. We'll find a better way to deal
|
|
with single negated matches.
|
|
|
|
match.c 1.31:
|
|
> fix matching for pattern lists that contain a single negated match,
|
|
> e.g. "Host !example"
|
|
>
|
|
> report and patch from Robin Becker. bz#1918 ok dtucker@
|
|
|
|
addrmatch.c 1.11:
|
|
> fix negated address matching where the address list consists of a
|
|
> single negated match, e.g. "Match addr !192.20.0.1"
|
|
>
|
|
> Report and patch from Jakub Jelen. bz#2397 ok dtucker@
|
|
|
|
Upstream-ID: ec96c770f0f5b9a54e5e72fda25387545e9c80c6
|
|
|
|
commit 119b7a2ca0ef2bf3f81897ae10301b8ca8cba844
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Sep 21 01:35:12 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
test all the AuthorizedPrincipalsCommand % expansions
|
|
|
|
Upstream-Regress-ID: 0a79a84dfaa59f958e46b474c3db780b454d30e3
|
|
|
|
commit bfa9d969ab6235d4938ce069d4db7e5825c56a19
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Sep 21 01:34:45 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
add a way for principals command to get see key ID and serial
|
|
too
|
|
|
|
Upstream-ID: 0d30978bdcf7e8eaeee4eea1b030eb2eb1823fcb
|
|
|
|
commit 920585b826af1c639e4ed78b2eba01fd2337b127
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Sep 16 06:09:31 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
add a note on kexfuzz' limitations
|
|
|
|
Upstream-Regress-ID: 03804d4a0dbc5163e1a285a4c8cc0a76a4e864ec
|
|
|
|
commit 0445ff184080b196e12321998b4ce80b0f33f8d1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Sep 16 01:01:41 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix for newer modp DH groups
|
|
(diffie-hellman-group14-sha256 etc)
|
|
|
|
Upstream-Regress-ID: fe942c669959462b507516ae1634fde0725f1c68
|
|
|
|
commit 28652bca29046f62c7045e933e6b931de1d16737
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Sep 19 19:02:19 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
move inbound NEWKEYS handling to kex layer; otherwise
|
|
early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed
|
|
with & ok djm@
|
|
|
|
Upstream-ID: 9a68b882892e9f51dc7bfa9f5a423858af358b2f
|
|
|
|
commit 492710894acfcc2f173d14d1d45bd2e688df605d
|
|
Author: natano@openbsd.org <natano@openbsd.org>
|
|
Date: Mon Sep 19 07:52:42 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Replace two more arc4random() loops with
|
|
arc4random_buf().
|
|
|
|
tweaks and ok dtucker
|
|
ok deraadt
|
|
|
|
Upstream-ID: 738d3229130ccc7eac975c190276ca6fcf0208e4
|
|
|
|
commit 1036356324fecc13099ac6e986b549f6219327d7
|
|
Author: tedu@openbsd.org <tedu@openbsd.org>
|
|
Date: Sat Sep 17 18:00:27 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
replace two arc4random loops with arc4random_buf ok
|
|
deraadt natano
|
|
|
|
Upstream-ID: e18ede972d1737df54b49f011fa4f3917a403f48
|
|
|
|
commit 00df97ff68a49a756d4b977cd02283690f5dfa34
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Sep 14 20:11:26 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
take fingerprint of correct key for
|
|
AuthorizedPrincipalsCommand
|
|
|
|
Upstream-ID: 553581a549cd6a3e73ce9f57559a325cc2cb1f38
|
|
|
|
commit e7907c1cb938b96dd33d27c2fea72c4e08c6b2f6
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Sep 14 05:42:25 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
add %-escapes to AuthorizedPrincipalsCommand to match those
|
|
supported for AuthorizedKeysCommand (key, key type, fingerprint, etc) and a
|
|
few more to provide access to the certificate's CA key; 'looks ok' dtucker@
|
|
|
|
Upstream-ID: 6b00fd446dbebe67f4e4e146d2e492d650ae04eb
|
|
|
|
commit 2b939c272a81c4d0c47badeedbcb2ba7c128ccda
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Sep 14 00:45:31 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Improve test coverage of ssh-keygen -T a bit.
|
|
|
|
Upstream-Regress-ID: 8851668c721bcc2b400600cfc5a87644cc024e72
|
|
|
|
commit 44d82fc83be6c5ccd70881c2dac1a73e5050398b
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon Sep 12 02:25:46 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Add testcase for ssh-keygen -j, -J and -K options for
|
|
moduli screening. Does not currently test generation as that is extremely
|
|
slow.
|
|
|
|
Upstream-Regress-ID: 9de6ce801377ed3ce0a63a1413f1cd5fd3c2d062
|
|
|
|
commit 44e5f756d286bc3a1a5272ea484ee276ba3ac5c2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Aug 23 08:17:04 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
add tests for addr_match_list()
|
|
|
|
Upstream-Regress-ID: fae2d1fef84687ece584738a924c7bf969616c8e
|
|
|
|
commit 445e218878035b59c704c18406e8aeaff4c8aa25
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Sep 12 23:39:34 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
handle certs in rsa_hash_alg_from_ident(), saving an
|
|
unnecessary special case elsewhere.
|
|
|
|
Upstream-ID: 901cb081c59d6d2698b57901c427f3f6dc7397d4
|
|
|
|
commit 130f5df4fa37cace8c079dccb690e5cafbf00751
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Sep 12 23:31:27 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
list all supported signature algorithms in the
|
|
server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly)
|
|
Ron Frederick; ok markus@
|
|
|
|
Upstream-ID: ddf702d721f54646b11ef2cee6d916666cb685cd
|
|
|
|
commit 8f750ccfc07acb8aa98be5a5dd935033a6468cfd
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Sep 12 14:43:58 2016 +1000
|
|
|
|
Remove no-op brackets to resync with upstream.
|
|
|
|
commit 7050896e7395866278c19c2ff080c26152619d1d
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Sep 12 13:57:28 2016 +1000
|
|
|
|
Resync ssh-keygen -W error message with upstream.
|
|
|
|
commit 43cceff82cc20413cce58ba3375e19684e62cec4
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Sep 12 13:55:37 2016 +1000
|
|
|
|
Move ssh-keygen -W handling code to match upstream
|
|
|
|
commit af48d541360b1d7737b35740a4b1ca34e1652cd9
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Sep 12 13:52:17 2016 +1000
|
|
|
|
Move ssh-keygen -T handling code to match upstream.
|
|
|
|
commit d8c3cfbb018825c6c86547165ddaf11924901c49
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Sep 12 13:30:50 2016 +1000
|
|
|
|
Move -M handling code to match upstream.
|
|
|
|
commit 7b63cf6dbbfa841c003de57d1061acbf2ff22364
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon Sep 12 03:29:16 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Spaces->tabs.
|
|
|
|
Upstream-ID: f4829dfc3f36318273f6082b379ac562eead70b7
|
|
|
|
commit 11e5e644536821ceb3bb4dd8487fbf0588522887
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon Sep 12 03:25:20 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Style whitespace fix. Also happens to remove a no-op
|
|
diff with portable.
|
|
|
|
Upstream-ID: 45d90f9a62ad56340913a433a9453eb30ceb8bf3
|
|
|
|
commit 9136ec134c97a8aff2917760c03134f52945ff3c
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Mon Sep 12 01:22:38 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then
|
|
use those definitions rather than pulling <sys/param.h> and unknown namespace
|
|
pollution. ok djm markus dtucker
|
|
|
|
Upstream-ID: 712cafa816c9f012a61628b66b9fbd5687223fb8
|
|
|
|
commit f219fc8f03caca7ac82a38ed74bbd6432a1195e7
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Wed Sep 7 18:39:24 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
sort; from matthew martin
|
|
|
|
Upstream-ID: 73cec7f7ecc82d37a4adffad7745e4684de67ce7
|
|
|
|
commit 06ce56b05def9460aecc7cdb40e861a346214793
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Sep 6 09:22:56 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
ssh_set_newkeys: print correct block counters on
|
|
rekeying; ok djm@
|
|
|
|
Upstream-ID: 32bb7a9cb9919ff5bab28d50ecef3a2b2045dd1e
|
|
|
|
commit e5e8d9114ac6837a038f4952994ca95a97fafe8d
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Sep 6 09:14:05 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
update ext_info_c every time we receive a kexinit msg;
|
|
fixes sending of ext_info if privsep is disabled; report Aris Adamantiadis &
|
|
Mancha; ok djm@
|
|
|
|
Upstream-ID: 2ceaa1076e19dbd3542254b4fb8e42d608f28856
|
|
|
|
commit da95318dbedbaa1335323dba370975c2f251afd8
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Sep 5 14:02:42 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
remove 3des-cbc from the client's default proposal;
|
|
64-bit block ciphers are not safe in 2016 and we don't want to wait until
|
|
attacks like sweet32 are extended to SSH.
|
|
|
|
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may
|
|
cause problems connecting to older devices using the defaults, but
|
|
it's highly likely that such devices already need explicit
|
|
configuration for KEX and hostkeys anyway.
|
|
|
|
ok deraadt, markus, dtucker
|
|
|
|
Upstream-ID: a505dfe65c6733af0f751b64cbc4bb7e0761bc2f
|
|
|
|
commit b33ad6d997d36edfea65e243cd12ccd01f413549
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Sep 5 13:57:31 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
enforce expected request flow for GSSAPI calls; thanks to
|
|
Jakub Jelen for testing; ok markus@
|
|
|
|
Upstream-ID: d4bc0e70e1be403735d3d9d7e176309b1fd626b9
|
|
|
|
commit 0bb2980260fb24e5e0b51adac471395781b66261
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Sep 12 11:07:00 2016 +1000
|
|
|
|
Restore ssh-keygen's -J and -j option handling.
|
|
|
|
These were incorrectly removed in the 1d9a2e28 sync commit.
|
|
|
|
commit 775f8a23f2353f5869003c57a213d14b28e0736e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Aug 31 10:48:07 2016 +1000
|
|
|
|
tighten PAM monitor calls
|
|
|
|
only allow kbd-interactive ones when that authentication method is
|
|
enabled. Prompted by Solar Designer
|
|
|
|
commit 7fd0ea8a1db4bcfb3d8cd9df149e5d571ebea1f4
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Aug 30 07:50:21 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
restrict monitor auth calls to be allowed only when their
|
|
respective authentication methods are enabled in the configuration.
|
|
|
|
prompted by Solar Designer; ok markus dtucker
|
|
|
|
Upstream-ID: 6eb3f89332b3546d41d6dbf5a8e6ff920142b553
|
|
|
|
commit b38b95f5bcc52278feb839afda2987933f68ff96
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Aug 29 11:47:07 2016 +1000
|
|
|
|
Tighten monitor state-machine flow for PAM calls
|
|
|
|
(attack surface reduction)
|
|
|
|
commit dc664d1bd0fc91b24406a3e9575b81c285b8342b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Aug 28 22:28:12 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix uninitialised optlen in getsockopt() call; harmless
|
|
on Unix/BSD but potentially crashy on Cygwin. Reported by James Slepicka ok
|
|
deraadt@
|
|
|
|
Upstream-ID: 1987ccee508ba5b18f016c85100d7ac3f70ff965
|
|
|
|
commit 5bcc1e2769f7d6927d41daf0719a9446ceab8dd7
|
|
Author: guenther@openbsd.org <guenther@openbsd.org>
|
|
Date: Sat Aug 27 04:05:12 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Pull in <sys/time.h> for struct timeval
|
|
|
|
ok deraadt@
|
|
|
|
Upstream-ID: ae34525485a173bccd61ac8eefeb91c57e3b7df6
|
|
|
|
commit fa4a4c96b19127dc2fd4e92f20d99c0c7f34b538
|
|
Author: guenther@openbsd.org <guenther@openbsd.org>
|
|
Date: Sat Aug 27 04:04:56 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Pull in <stdlib.h> for NULL
|
|
|
|
ok deraadt@
|
|
|
|
Upstream-ID: 7baa6a0f1e049bb3682522b4b95a26c866bfc043
|
|
|
|
commit ae363d74ccc1451185c0c8bd4631e28c67c7fd36
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Aug 25 23:57:54 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
add a sIgnore opcode that silently ignores options and
|
|
use it to suppress noisy deprecation warnings for the Protocol directive.
|
|
|
|
req henning, ok markus
|
|
|
|
Upstream-ID: 9fe040aca3d6ff393f6f7e60045cdd821dc4cbe0
|
|
|
|
commit a94c60306643ae904add6e8ed219e4be3494255c
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Aug 25 23:56:51 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
remove superfluous NOTREACHED comment
|
|
|
|
Upstream-ID: a7485c1f1be618e8c9e38fd9be46c13b2d03b90c
|
|
|
|
commit fc041c47144ce28cf71353124a8a5d183cd6a251
|
|
Author: otto@openbsd.org <otto@openbsd.org>
|
|
Date: Tue Aug 23 16:21:45 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix previous, a condition was modified incorrectly; ok
|
|
markus@ deraadt@
|
|
|
|
Upstream-ID: c443e339768e7ed396dff3bb55f693e7d3641453
|
|
|
|
commit 23555eb13a9b0550371a16dcf8beaab7a5806a64
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Aug 23 08:17:42 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
downgrade an error() to a debug2() to match similar cases
|
|
in addr_match_list()
|
|
|
|
Upstream-ID: 07c3d53e357214153d9d08f234411e0d1a3d6f5c
|
|
|
|
commit a39627134f6d90e7009eeb14e9582ecbc7a99192
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Aug 23 06:36:23 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
remove Protocol directive from client/server configs that
|
|
causes spammy deprecation warnings
|
|
|
|
hardcode SSH_PROTOCOLS=2, since that's all we support on the server
|
|
now (the client still may support both, so it could get confused)
|
|
|
|
Upstream-Regress-ID: c16662c631af51633f9fd06aca552a70535de181
|
|
|
|
commit 6ee4f1c01ee31e65245881d49d4bccf014956066
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 23 16:33:48 2016 +1000
|
|
|
|
hook match and utf8 unittests up to Makefile
|
|
|
|
commit 114efe2bc0dd2842d997940a833f115e6fc04854
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Aug 19 06:44:13 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
add tests for matching functions
|
|
|
|
Upstream-Regress-ID: 0869d4f5c5d627c583c6a929d69c17d5dd65882c
|
|
|
|
commit 857568d2ac81c14bcfd625b27536c1e28c992b3c
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 23 14:32:37 2016 +1000
|
|
|
|
removing UseLogin bits from configure.ac
|
|
|
|
commit cc182d01cef8ca35a1d25ea9bf4e2ff72e588208
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Aug 23 03:24:10 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix negated address matching where the address list
|
|
consists of a single negated match, e.g. "Match addr !192.20.0.1"
|
|
|
|
Report and patch from Jakub Jelen. bz#2397 ok dtucker@
|
|
|
|
Upstream-ID: 01dcac3f3e6ca47518cf293e31c73597a4bb40d8
|
|
|
|
commit 4067ec8a4c64ccf16250c35ff577b4422767da64
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Aug 23 03:22:49 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix matching for pattern lists that contain a single
|
|
negated match, e.g. "Host !example"
|
|
|
|
report and patch from Robin Becker. bz#1918 ok dtucker@
|
|
|
|
Upstream-ID: 05a0cb323ea4bc20e98db099b42c067bfb9ea1ea
|
|
|
|
commit 83b581862a1dbb06fc859959f829dde2654aef3c
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Aug 19 03:18:06 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
remove UseLogin option and support for having /bin/login
|
|
manage login sessions; ok deraadt markus dtucker
|
|
|
|
Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
|
|
|
|
commit ffe6549c2f7a999cc5264b873a60322e91862581
|
|
Author: naddy@openbsd.org <naddy@openbsd.org>
|
|
Date: Mon Aug 15 12:32:04 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Catch up with the SSH1 code removal and delete all
|
|
mention of protocol 1 particularities, key files and formats, command line
|
|
options, and configuration keywords from the server documentation and
|
|
examples. ok jmc@
|
|
|
|
Upstream-ID: 850328854675b4b6a0d4a90f0b4a9dd9ca4e905f
|
|
|
|
commit c38ea634893a1975dbbec798fb968c9488013f4a
|
|
Author: naddy@openbsd.org <naddy@openbsd.org>
|
|
Date: Mon Aug 15 12:27:56 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Remove more SSH1 server code: * Drop sshd's -k option. *
|
|
Retire configuration keywords that only apply to protocol 1, as well as the
|
|
"protocol" keyword. * Remove some related vestiges of protocol 1 support.
|
|
|
|
ok markus@
|
|
|
|
Upstream-ID: 9402f82886de917779db12f8ee3f03d4decc244d
|
|
|
|
commit 33ba55d9e358c07f069e579bfab80eccaaad52cb
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Aug 17 16:26:04 2016 +1000
|
|
|
|
Only check for prctl once.
|
|
|
|
commit 976ba8a8fd66a969bf658280c1e5adf694cc2fc6
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Aug 17 15:33:10 2016 +1000
|
|
|
|
Fix typo.
|
|
|
|
commit 9abf84c25ff4448891edcde60533a6e7b2870de1
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Aug 17 14:25:43 2016 +1000
|
|
|
|
Correct LDFLAGS for clang example.
|
|
|
|
--with-ldflags isn't used until after the -ftrapv test, so mention
|
|
LDFLAGS instead for now.
|
|
|
|
commit 1e8013a17ff11e3c6bd0012fb1fc8d5f1330eb21
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Aug 17 14:08:42 2016 +1000
|
|
|
|
Remove obsolete CVS $Id from source files.
|
|
|
|
Since -portable switched to git the CVS $Id tags are no longer being
|
|
updated and are becoming increasingly misleading. Remove them.
|
|
|
|
commit adab758242121181700e48b4f6c60d6b660411fe
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Aug 17 13:40:58 2016 +1000
|
|
|
|
Remove now-obsolete CVS $Id tags from text files.
|
|
|
|
Since -portable switched to git, the CVS $Id tags are no longer being
|
|
updated and are becoming increasingly misleading. Remove them.
|
|
|
|
commit 560c0068541315002ec4c1c00a560bbd30f2d671
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Aug 17 13:38:30 2016 +1000
|
|
|
|
Add a section for compiler specifics.
|
|
|
|
Add a section for compiler specifics and document the runtime requirements
|
|
for clang's integer sanitization.
|
|
|
|
commit a8fc0f42e1eda2fa3393d1ea5e61322d5e07a9cd
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Aug 17 13:35:43 2016 +1000
|
|
|
|
Test multiplying two long long ints.
|
|
|
|
When using clang with -ftrapv or -sanitize=integer the tests would pass
|
|
but linking would fail with "undefined reference to __mulodi4".
|
|
Explicitly test for this before enabling -trapv.
|
|
|
|
commit a1cc637e7e11778eb727559634a6ef1c19c619f6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 16 14:47:34 2016 +1000
|
|
|
|
add a --with-login-program configure argument
|
|
|
|
Saves messing around with LOGIN_PROGRAM env var, which come
|
|
packaging environments make hard to do during configure phase.
|
|
|
|
commit 8bd81e1596ab1bab355146cb65e82fb96ade3b23
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 16 13:30:56 2016 +1000
|
|
|
|
add --with-pam-service to specify PAM service name
|
|
|
|
Saves messing around with CFLAGS to do it.
|
|
|
|
commit 74433a19bb6f4cef607680fa4d1d7d81ca3826aa
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 16 13:28:23 2016 +1000
|
|
|
|
fix false positives when compiled with msan
|
|
|
|
Our explicit_bzero successfully confused clang -fsanitize-memory
|
|
in to thinking that memset is never called to initialise memory.
|
|
Ensure that it is called in a way that the compiler recognises.
|
|
|
|
commit 6cb6dcffe1a2204ba9006de20f73255c268fcb6b
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Sat Aug 13 17:47:40 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
remove ssh1 server code; ok djm@
|
|
|
|
Upstream-ID: c24c0c32c49b91740d5a94ae914fb1898ea5f534
|
|
|
|
commit 42d47adc5ad1187f22c726cbc52e71d6b1767ca2
|
|
Author: jca@openbsd.org <jca@openbsd.org>
|
|
Date: Fri Aug 12 19:19:04 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Use 2001:db8::/32, the official IPv6 subnet for
|
|
configuration examples.
|
|
|
|
This makes the IPv6 example consistent with IPv4, and removes a dubious
|
|
mention of a 6bone subnet.
|
|
|
|
ok sthen@ millert@
|
|
|
|
Upstream-ID: b027f3d0e0073419a132fd1bf002e8089b233634
|
|
|
|
commit b61f53c0c3b43c28e013d3b3696d64d1c0204821
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Aug 11 01:42:11 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Update moduli file.
|
|
|
|
Upstream-ID: 6da9a37f74aef9f9cc639004345ad893cad582d8
|
|
|
|
commit f217d9bd42d306f69f56335231036b44502d8191
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Aug 11 11:42:48 2016 +1000
|
|
|
|
Import updated moduli.
|
|
|
|
commit 67dca60fbb4923b7a11c1645b90a5ca57c03d8be
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon Aug 8 22:40:57 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Improve error message for overlong ControlPath. ok markus@
|
|
djm@
|
|
|
|
Upstream-ID: aed374e2e88dd3eb41390003e5303d0089861eb5
|
|
|
|
commit 4706c1d8c15cd5565b59512853c2da9bd4ca26c9
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Aug 3 05:41:57 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
small refactor of cipher.c: make ciphercontext opaque to
|
|
callers feedback and ok markus@
|
|
|
|
Upstream-ID: 094849f8be68c3bdad2c0f3dee551ecf7be87f6f
|
|
|
|
commit e600348a7afd6325cc5cd783cb424065cbc20434
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Aug 3 04:23:55 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix bug introduced in rev 1.467 which causes
|
|
"buffer_get_bignum_ret: incomplete message" errors when built with WITH_SSH1
|
|
and run such that no Protocol 1 ephemeral host key is generated (eg "Protocol
|
|
2", no SSH1 host key supplied). Reported by rainer.laatsch at t-online.de,
|
|
ok deraadt@
|
|
|
|
Upstream-ID: aa6b132da5c325523aed7989cc5a320497c919dc
|
|
|
|
commit d7e7348e72f9b203189e3fffb75605afecba4fda
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 27 23:18:12 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
better bounds check on iovcnt (we only ever use fixed,
|
|
positive values)
|
|
|
|
Upstream-ID: 9baa6eb5cd6e30c9dc7398e5fe853721a3a5bdee
|
|
|
|
commit 5faa52d295f764562ed6dd75c4a4ce9134ae71e3
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Aug 2 15:22:40 2016 +1000
|
|
|
|
Use tabs consistently inside "case $host".
|
|
|
|
commit 20e5e8ba9c5d868d897896190542213a60fffbd2
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Aug 2 12:16:34 2016 +1000
|
|
|
|
Explicitly test for broken strnvis.
|
|
|
|
NetBSD added an strnvis and unfortunately made it incompatible with the
|
|
existing one in OpenBSD and Linux's libbsd (the former having existed
|
|
for over ten years). Despite this incompatibility being reported during
|
|
development (see http://gnats.netbsd.org/44977) they still shipped it.
|
|
Even more unfortunately FreeBSD and later MacOS picked up this incompatible
|
|
implementation. Try to detect this mess, and assume the only safe option
|
|
if we're cross compiling.
|
|
|
|
OpenBSD 2.9 (2001): strnvis(char *dst, const char *src, size_t dlen, int flag);
|
|
NetBSD 6.0 (2012): strnvis(char *dst, size_t dlen, const char *src, int flag);
|
|
|
|
ok djm@
|
|
|
|
commit b0b48beab1b74100b61ecbadb9140c9ab4c2ea8c
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 2 11:06:23 2016 +1000
|
|
|
|
update recommended autoconf version
|
|
|
|
commit 23902e31dfd18c6d7bb41ccd73de3b5358a377da
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 2 10:48:04 2016 +1000
|
|
|
|
update config.guess and config.sub to current
|
|
|
|
upstream commit 562f3512b3911ba0c77a7f68214881d1f241f46e
|
|
|
|
commit dd1031b78b83083615b68d7163c44f4408635be2
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Aug 2 10:01:52 2016 +1000
|
|
|
|
Replace spaces with tabs.
|
|
|
|
Mechanically replace spaces with tabs in compat files not synced with
|
|
OpenBSD.
|
|
|
|
commit c20dccb5614c5714f4155dda01bcdebf97cfae7e
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Aug 2 09:44:25 2016 +1000
|
|
|
|
Strip trailing whitespace.
|
|
|
|
Mechanically strip trailing whitespace on files not synced with OpenBSD
|
|
(or in the case of bsd-snprint.c, rsync).
|
|
|
|
commit 30f9bd1c0963c23bfba8468dfd26aa17609ba42f
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Aug 2 09:06:27 2016 +1000
|
|
|
|
Repair $OpenBSD markers.
|
|
|
|
commit 9715d4ad4b53877ec23dc8681dd7a405de9419a6
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Aug 2 09:02:42 2016 +1000
|
|
|
|
Repair $OpenBSD marker.
|
|
|
|
commit cf3e0be7f5828a5e5f6c296a607d20be2f07d60c
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Mon Aug 1 14:31:52 2016 -0700
|
|
|
|
modified: configure.ac opensshd.init.in
|
|
Skip generating missing RSA1 key on startup unless ssh1 support is enabled.
|
|
Spotted by Jean-Pierre Radley
|
|
|
|
commit 99522ba7ec6963a05c04a156bf20e3ba3605987c
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 28 08:54:27 2016 +1000
|
|
|
|
define _OPENBSD_SOURCE for reallocarray on NetBSD
|
|
|
|
Report by and debugged with Hisashi T Fujinaka, dtucker nailed
|
|
the problem (lack of prototype causing return type confusion).
|
|
|
|
commit 3e1e076550c27c6bbdddf36d8f42bd79fbaaa187
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 27 08:25:42 2016 +1000
|
|
|
|
KNF
|
|
|
|
commit d99ee9c4e5e217e7d05eeec84e9ce641f4675331
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 27 08:25:23 2016 +1000
|
|
|
|
Linux auditing also needs packet.h
|
|
|
|
commit 393bd381a45884b589baa9aed4394f1d250255ca
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 27 08:18:05 2016 +1000
|
|
|
|
fix auditing on Linux
|
|
|
|
get_remote_ipaddr() was replaced with ssh_remote_ipaddr()
|
|
|
|
commit 80e766fb089de4f3c92b1600eb99e9495e37c992
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Jul 24 21:50:13 2016 +1000
|
|
|
|
crank version numbers
|
|
|
|
commit b1a478792d458f2e938a302e64bab2b520edc1b3
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jul 24 11:45:36 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
openssh-7.3
|
|
|
|
Upstream-ID: af106a7eb665f642648cf1993e162c899f358718
|
|
|
|
commit 353766e0881f069aeca30275ab706cd60a1a8fdd
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Jul 23 16:14:42 2016 +1000
|
|
|
|
Move Cygwin IPPORT_RESERVED overrride to defines.h
|
|
|
|
Patch from vinschen at redhat.com.
|
|
|
|
commit 368dd977ae07afb93f4ecea23615128c95ab2b32
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Jul 23 02:54:08 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix pledge violation with ssh -f; reported by Valentin
|
|
Kozamernik ok dtucker@
|
|
|
|
Upstream-ID: a61db7988db88d9dac3c4dd70e18876a8edf84aa
|
|
|
|
commit f00211e3c6d24d6ea2b64b4b1209f671f6c1d42e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 22 07:00:46 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
improve wording; suggested by jmc@
|
|
|
|
Upstream-ID: 55cb0a24c8e0618b3ceec80998dc82c85db2d2f8
|
|
|
|
commit 83cbca693c3b0719270e6a0f2efe3f9ee93a65b8
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Jul 22 05:46:11 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Lower loglevel for "Authenticated with partial success"
|
|
message similar to other similar level. bz#2599, patch from cgallek at
|
|
gmail.com, ok markus@
|
|
|
|
Upstream-ID: 3faab814e947dc7b2e292edede23e94c608cb4dd
|
|
|
|
commit 10358abd087ab228b7ce2048efc4f3854a9ab9a6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 22 14:06:36 2016 +1000
|
|
|
|
retry waitpid on EINTR failure
|
|
|
|
patch from Jakub Jelen on bz#2581; ok dtucker@
|
|
|
|
commit da88a70a89c800e74ea8e5661ffa127a3cc79a92
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 22 03:47:36 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
constify a few functions' arguments; patch from Jakub
|
|
Jelen bz#2581
|
|
|
|
Upstream-ID: f2043f51454ea37830ff6ad60c8b32b4220f448d
|
|
|
|
commit c36d91bd4ebf767f310f7cea88d61d1c15f53ddf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 22 03:39:13 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
move debug("%p", key) to before key is free'd; probable
|
|
undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
|
|
|
Upstream-ID: 767f323e1f5819508a0e35e388ec241bac2f953a
|
|
|
|
commit 286f5a77c3bfec1e8892ca268087ac885ac871bf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 22 03:35:11 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
reverse the order in which -J/JumpHost proxies are visited to
|
|
be more intuitive and document
|
|
|
|
reported by and manpage bits naddy@
|
|
|
|
Upstream-ID: 3a68fd6a841fd6cf8cedf6552a9607ba99df179a
|
|
|
|
commit fcd135c9df440bcd2d5870405ad3311743d78d97
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Jul 21 01:39:35 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Skip passwords longer than 1k in length so clients can't
|
|
easily DoS sshd by sending very long passwords, causing it to spend CPU
|
|
hashing them. feedback djm@, ok markus@.
|
|
|
|
Brought to our attention by tomas.kuthan at oracle.com, shilei-c at
|
|
360.cn and coredump at autistici.org
|
|
|
|
Upstream-ID: d0af7d4a2190b63ba1d38eec502bc4be0be9e333
|
|
|
|
commit 324583e8fb3935690be58790425793df619c6d4d
|
|
Author: naddy@openbsd.org <naddy@openbsd.org>
|
|
Date: Wed Jul 20 10:45:27 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Do not clobber the global jump_host variables when
|
|
parsing an inactive configuration. ok djm@
|
|
|
|
Upstream-ID: 5362210944d91417d5976346d41ac0b244350d31
|
|
|
|
commit 32d921c323b989d28405e78d0a8923d12913d737
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Tue Jul 19 12:59:16 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
tweak previous;
|
|
|
|
Upstream-ID: f3c1a5b3f05dff366f60c028728a2b43f15ff534
|
|
|
|
commit d7eabc86fa049a12ba2c3fb198bd1d51b37f7025
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue Jul 19 11:38:53 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Allow wildcard for PermitOpen hosts as well as ports.
|
|
bz#2582, patch from openssh at mzpqnxow.com and jjelen at redhat.com. ok
|
|
markus@
|
|
|
|
Upstream-ID: af0294e9b9394c4e16e991424ca0a47a7cc605f2
|
|
|
|
commit b98a2a8348e907b3d71caafd80f0be8fdd075943
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jul 18 11:35:33 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Reduce timing attack against obsolete CBC modes by always
|
|
computing the MAC over a fixed size of data. Reported by Jean Paul
|
|
Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
|
|
|
|
Upstream-ID: f20a13279b00ba0afbacbcc1f04e62e9d41c2912
|
|
|
|
commit dbf788b4d9d9490a5fff08a7b09888272bb10fcc
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Jul 21 14:17:31 2016 +1000
|
|
|
|
Search users for one with a valid salt.
|
|
|
|
If the root account is locked (eg password "!!" or "*LK*") keep looking
|
|
until we find a user with a valid salt to use for crypting passwords of
|
|
invalid users. ok djm@
|
|
|
|
commit e8b58f48fbb1b524fb4f0d4865fa0005d6a4b782
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jul 18 17:22:49 2016 +1000
|
|
|
|
Explicitly specify source files for regress tools.
|
|
|
|
Since adding $(REGRESSLIBS), $? is wrong because it includes only the
|
|
changed source files. $< seems like it'd be right however it doesn't
|
|
seem to work on some non-GNU makes, so do what works everywhere.
|
|
|
|
commit eac1bbd06872c273f16ac0f9976b0aef026b701b
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jul 18 17:12:22 2016 +1000
|
|
|
|
Conditionally include err.h.
|
|
|
|
commit 0a454147568746c503f669e1ba861f76a2e7a585
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jul 18 16:26:26 2016 +1000
|
|
|
|
Remove local implementation of err, errx.
|
|
|
|
We now have a shared implementation in libopenbsd-compat.
|
|
|
|
commit eb999a4590846ba4d56ddc90bd07c23abfbab7b1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jul 18 06:08:01 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Add some unsigned overflow checks for extra_pad. None of
|
|
these are reachable with the amount of padding that we use internally.
|
|
bz#2566, pointed out by Torben Hansen. ok markus@
|
|
|
|
Upstream-ID: 4d4be8450ab2fc1b852d5884339f8e8c31c3fd76
|
|
|
|
commit c71ba790c304545464bb494de974cdf0f4b5cf1e
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jul 18 15:43:25 2016 +1000
|
|
|
|
Add dependency on libs for unit tests.
|
|
|
|
Makes "./configure && make tests" work again. ok djm@
|
|
|
|
commit 8199d0311aea3e6fd0284c9025e7a83f4ece79e8
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jul 18 13:47:39 2016 +1000
|
|
|
|
Correct location for kexfuzz in clean target.
|
|
|
|
commit 01558b7b07af43da774d3a11a5c51fa9c310849d
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jul 18 09:33:25 2016 +1000
|
|
|
|
Handle PAM_MAXTRIES from modules.
|
|
|
|
bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer
|
|
password and keyboard-interative authentication methods. Should prevent
|
|
"sshd ignoring max retries" warnings in the log. ok djm@
|
|
|
|
It probably won't trigger with keyboard-interactive in the default
|
|
configuration because the retry counter is stored in module-private
|
|
storage which goes away with the sshd PAM process (see bz#688). On the
|
|
other hand, those cases probably won't log a warning either.
|
|
|
|
commit 65c6c6b567ab5ab12945a5ad8e0ab3a8c26119cc
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jul 17 04:20:16 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
support UTF-8 characters in ssh(1) banners using
|
|
schwarze@'s safe fmprintf printer; bz#2058
|
|
|
|
feedback schwarze@ ok dtucker@
|
|
|
|
Upstream-ID: a72ce4e3644c957643c9524eea2959e41b91eea7
|
|
|
|
commit e4eb7d910976fbfc7ce3e90c95c11b07b483d0d7
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Sat Jul 16 06:57:55 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
- add proxyjump to the options list - formatting fixes -
|
|
update usage()
|
|
|
|
ok djm
|
|
|
|
Upstream-ID: 43d318e14ce677a2eec8f21ef5ba2f9f68a59457
|
|
|
|
commit af1f084857621f14bd9391aba8033d35886c2455
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Jul 15 05:01:58 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Reduce the syslog level of some relatively common protocol
|
|
events from LOG_CRIT by replacing fatal() calls with logdie(). Part of
|
|
bz#2585, ok djm@
|
|
|
|
Upstream-ID: 9005805227c94edf6ac02a160f0e199638d288e5
|
|
|
|
commit bd5f2b78b69cf38d6049a0de445a79c8595e4a1f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 15 19:14:48 2016 +1000
|
|
|
|
missing openssl/dh.h
|
|
|
|
commit 4a984fd342effe5f0aad874a0d538c4322d973c0
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 15 18:47:07 2016 +1000
|
|
|
|
cast to avoid type warning in error message
|
|
|
|
commit 5abfb15ced985c340359ae7fb65a625ed3692b3e
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jul 15 14:48:30 2016 +1000
|
|
|
|
Move VA_COPY macro into compat header.
|
|
|
|
Some AIX compilers unconditionally undefine va_copy but don't set it back
|
|
to an internal function, causing link errors. In some compat code we
|
|
already use VA_COPY instead so move the two existing instances into the
|
|
shared header and use for sshbuf-getput-basic.c too. Should fix building
|
|
with at lease some versions of AIX's compiler. bz#2589, ok djm@
|
|
|
|
commit 832b7443b7a8e181c95898bc5d73497b7190decd
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 15 14:45:34 2016 +1000
|
|
|
|
disable ciphers not supported by OpenSSL
|
|
|
|
bz#2466 ok dtucker@
|
|
|
|
commit 5fbe93fc6fbb2fe211e035703dec759d095e3dd8
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 15 13:54:31 2016 +1000
|
|
|
|
add a --disable-pkcs11 knob
|
|
|
|
commit 679ce88ec2a8e2fe6515261c489e8c1449bb9da9
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 15 13:44:38 2016 +1000
|
|
|
|
fix newline escaping for unsupported_algorithms
|
|
|
|
The hmac-ripemd160 was incorrect and could lead to broken
|
|
Makefiles on systems that lacked support for it, but I made
|
|
all the others consistent too.
|
|
|
|
commit ed877ef653847d056bb433975d731b7a1132a979
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 15 00:24:30 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Add a ProxyJump ssh_config(5) option and corresponding -J
|
|
ssh(1) command-line flag to allow simplified indirection through a SSH
|
|
bastion or "jump host".
|
|
|
|
These options construct a proxy command that connects to the
|
|
specified jump host(s) (more than one may be specified) and uses
|
|
port-forwarding to establish a connection to the next destination.
|
|
|
|
This codifies the safest way of indirecting connections through SSH
|
|
servers and makes it easy to use.
|
|
|
|
ok markus@
|
|
|
|
Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
|
|
|
|
commit 5c02dd126206a26785379e80f2d3848e4470b711
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jul 15 12:56:39 2016 +1000
|
|
|
|
Map umac_ctx struct name too.
|
|
|
|
Prevents size mismatch linker warnings on Solaris 11.
|
|
|
|
commit 283b97ff33ea2c641161950849931bd578de6946
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jul 15 13:49:44 2016 +1000
|
|
|
|
Mitigate timing of disallowed users PAM logins.
|
|
|
|
When sshd decides to not allow a login (eg PermitRootLogin=no) and
|
|
it's using PAM, it sends a fake password to PAM so that the timing for
|
|
the failure is not noticeably different whether or not the password
|
|
is correct. This behaviour can be detected by sending a very long
|
|
password string which is slower to hash than the fake password.
|
|
|
|
Mitigate by constructing an invalid password that is the same length
|
|
as the one from the client and thus takes the same time to hash.
|
|
Diff from djm@
|
|
|
|
commit 9286875a73b2de7736b5e50692739d314cd8d9dc
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jul 15 13:32:45 2016 +1000
|
|
|
|
Determine appropriate salt for invalid users.
|
|
|
|
When sshd is processing a non-PAM login for a non-existent user it uses
|
|
the string from the fakepw structure as the salt for crypt(3)ing the
|
|
password supplied by the client. That string has a Blowfish prefix, so on
|
|
systems that don't understand that crypt will fail fast due to an invalid
|
|
salt, and even on those that do it may have significantly different timing
|
|
from the hash methods used for real accounts (eg sha512). This allows
|
|
user enumeration by, eg, sending large password strings. This was noted
|
|
by EddieEzra.Harari at verint.com (CVE-2016-6210).
|
|
|
|
To mitigate, use the same hash algorithm that root uses for hashing
|
|
passwords for users that do not exist on the system. ok djm@
|
|
|
|
commit a162dd5e58ca5b224d7500abe35e1ef32b5de071
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Jul 14 21:19:59 2016 +1000
|
|
|
|
OpenSSL 1.1.x not currently supported.
|
|
|
|
commit 7df91b01fc558a33941c5c5f31abbcdc53a729fb
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Jul 14 12:25:24 2016 +1000
|
|
|
|
Check for VIS_ALL.
|
|
|
|
If we don't have it, set BROKEN_STRNVIS to activate the compat replacement.
|
|
|
|
commit ee67716f61f1042d5e67f91c23707cca5dcdd7d0
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Jul 14 01:24:21 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Correct equal in test.
|
|
|
|
Upstream-Regress-ID: 4e32f7a5c57a619c4e8766cb193be2a1327ec37a
|
|
|
|
commit 372807c2065c8572fdc6478b25cc5ac363743073
|
|
Author: tb@openbsd.org <tb@openbsd.org>
|
|
Date: Mon Jul 11 21:38:13 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Add missing "recvfd" pledge promise: Raf Czlonka reported
|
|
ssh coredumps when Control* keywords were set in ssh_config. This patch also
|
|
fixes similar problems with scp and sftp.
|
|
|
|
ok deraadt, looks good to millert
|
|
|
|
Upstream-ID: ca2099eade1ef3e87a79614fefa26a0297ad8a3b
|
|
|
|
commit e0453f3df64bf485c61c7eb6bd12893eee9fe2cd
|
|
Author: tedu@openbsd.org <tedu@openbsd.org>
|
|
Date: Mon Jul 11 03:19:44 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
obsolete note about fascistloggin is obsolete. ok djm
|
|
dtucker
|
|
|
|
Upstream-ID: dae60df23b2bb0e89f42661ddd96a7b0d1b7215a
|
|
|
|
commit a2333584170a565adf4f209586772ef8053b10b8
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Jul 14 10:59:09 2016 +1000
|
|
|
|
Add compat code for missing wcwidth.
|
|
|
|
If we don't have wcwidth force fallback implementations of nl_langinfo
|
|
and mbtowc. Based on advice from Ingo Schwarze.
|
|
|
|
commit 8aaec7050614494014c47510b7e94daf6e644c62
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 14 09:48:48 2016 +1000
|
|
|
|
fix missing include for systems with err.h
|
|
|
|
commit 6310ef27a2567cda66d6cf0c1ad290ee1167f243
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jul 13 14:42:35 2016 +1000
|
|
|
|
Move err.h replacements into compat lib.
|
|
|
|
Move implementations of err.h replacement functions into their own file
|
|
in the libopenbsd-compat so we can use them in kexfuzz.c too. ok djm@
|
|
|
|
commit f3f2cc8386868f51440c45210098f65f9787449a
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jul 11 17:23:38 2016 +1000
|
|
|
|
Check for wchar.h and langinfo.h
|
|
|
|
Wrap includes in the appropriate #ifdefs.
|
|
|
|
commit b9c50614eba9d90939b2b119b6e1b7e03b462278
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jul 8 13:59:13 2016 +1000
|
|
|
|
whitelist more architectures for seccomp-bpf
|
|
|
|
bz#2590 - testing and patch from Jakub Jelen
|
|
|
|
commit 18813a32b6fd964037e0f5e1893cb4468ac6a758
|
|
Author: guenther@openbsd.org <guenther@openbsd.org>
|
|
Date: Mon Jul 4 18:01:44 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
DEBUGLIBS has been broken since the gcc4 switch, so delete
|
|
it. CFLAGS contains -g by default anyway
|
|
|
|
problem noted by Edgar Pettijohn (edgar (at) pettijohn-web.com)
|
|
ok millert@ kettenis@ deraadt@
|
|
|
|
Upstream-Regress-ID: 4a0bb72f95c63f2ae9daa8a040ac23914bddb542
|
|
|
|
commit 6d31193d0baa3da339c196ac49625b7ba1c2ecc7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 8 03:44:42 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Improve crypto ordering for Encrypt-then-MAC (EtM) mode
|
|
MAC algorithms.
|
|
|
|
Previously we were computing the MAC, decrypting the packet and then
|
|
checking the MAC. This gave rise to the possibility of creating a
|
|
side-channel oracle in the decryption step, though no such oracle has
|
|
been identified.
|
|
|
|
This adds a mac_check() function that computes and checks the MAC in
|
|
one pass, and uses it to advance MAC checking for EtM algorithms to
|
|
before payload decryption.
|
|
|
|
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and
|
|
Martin Albrecht. feedback and ok markus@
|
|
|
|
Upstream-ID: 1999bb67cab47dda5b10b80d8155fe83d4a1867b
|
|
|
|
commit 71f5598f06941f645a451948c4a5125c83828e1c
|
|
Author: guenther@openbsd.org <guenther@openbsd.org>
|
|
Date: Mon Jul 4 18:01:44 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
DEBUGLIBS has been broken since the gcc4 switch, so
|
|
delete it. CFLAGS contains -g by default anyway
|
|
|
|
problem noted by Edgar Pettijohn (edgar (at) pettijohn-web.com)
|
|
ok millert@ kettenis@ deraadt@
|
|
|
|
Upstream-ID: 96c5054e3e1f170c6276902d5bc65bb3b87a2603
|
|
|
|
commit e683fc6f1c8c7295648dbda679df8307786ec1ce
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Jun 30 05:17:05 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Explicitly check for 100% completion to avoid potential
|
|
floating point rounding error, which could cause progressmeter to report 99%
|
|
on completion. While there invert the test so the 100% case is clearer. with
|
|
& ok djm@
|
|
|
|
Upstream-ID: a166870c5878e422f3c71ff802e2ccd7032f715d
|
|
|
|
commit 772e6cec0ed740fc7db618dc30b4134f5a358b43
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Wed Jun 29 17:14:28 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
sort the -o list;
|
|
|
|
Upstream-ID: 1a97465ede8790b4d47cb618269978e07f41f8ac
|
|
|
|
commit 46ecd19e554ccca15a7309cd1b6b44bc8e6b84af
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jun 23 05:17:51 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix AuthenticationMethods during configuration re-parse;
|
|
reported by Juan Francisco Cantero Hurtado
|
|
|
|
Upstream-ID: 8ffa1dac25c7577eca8238e825317ab20848f9b4
|
|
|
|
commit 3147e7595d0f2f842a666c844ac53e6c7a253d7e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jun 19 07:48:02 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
revert 1.34; causes problems loading public keys
|
|
|
|
reported by semarie@
|
|
|
|
Upstream-ID: b393794f8935c8b15d98a407fe7721c62d2ed179
|
|
|
|
commit ad23a75509f4320d43f628c50f0817e3ad12bfa7
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Fri Jun 17 06:33:30 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
grammar fix;
|
|
|
|
Upstream-ID: 5d5b21c80f1e81db367333ce0bb3e5874fb3e463
|
|
|
|
commit 5e28b1a2a3757548b40018cc2493540a17c82e27
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jun 17 05:06:23 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
translate OpenSSL error codes to something more
|
|
meaninful; bz#2522 reported by Jakub Jelen, ok dtucker@
|
|
|
|
Upstream-ID: 4cb0795a366381724314e6515d57790c5930ffe5
|
|
|
|
commit b64faeb5eda7eff8210c754d00464f9fe9d23de5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jun 17 05:03:40 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
ban AuthenticationMethods="" and accept
|
|
AuthenticationMethods=any for the default behaviour of not requiring multiple
|
|
authentication
|
|
|
|
bz#2398 from Jakub Jelen; ok dtucker@
|
|
|
|
Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27
|
|
|
|
commit 9816fc5daee5ca924dd5c4781825afbaab728877
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Jun 16 11:00:17 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Include stdarg.h for va_copy as per man page.
|
|
|
|
Upstream-ID: 105d6b2f1af2fbd9d91c893c436ab121434470bd
|
|
|
|
commit b6cf84b51bc0f5889db48bf29a0c771954ade283
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Thu Jun 16 06:10:45 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
keys stored in openssh format can have comments too; diff
|
|
from yonas yanfa, tweaked a bit;
|
|
|
|
ok djm
|
|
|
|
Upstream-ID: 03d48536da6e51510d73ade6fcd44ace731ceb27
|
|
|
|
commit aa37768f17d01974b6bfa481e5e83841b6c76f86
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jun 20 15:55:34 2016 +1000
|
|
|
|
get_remote_name_or_ip inside LOGIN_NEEDS_UTMPX
|
|
|
|
Apply the same get_remote_name_or_ip -> session_get_remote_name_or_ip
|
|
change as commit 95767262 to the code inside #ifdef LOGIN_NEEDS_UTMPX.
|
|
Fixes build on AIX.
|
|
|
|
commit 009891afc8df37bc2101e15d1e0b6433cfb90549
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jun 17 14:34:09 2016 +1000
|
|
|
|
Remove duplicate code from PAM. ok djm@
|
|
|
|
commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Jun 15 00:40:40 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message
|
|
about forward and reverse DNS not matching. We haven't supported IP-based
|
|
auth methods for a very long time so it's now misleading. part of bz#2585,
|
|
ok markus@
|
|
|
|
Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29
|
|
|
|
commit 57b4ee04cad0d3e0fec1194753b0c4d31e39a1cd
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Jun 15 11:22:38 2016 +1000
|
|
|
|
Move platform_disable_tracing into its own file.
|
|
|
|
Prevents link errors resolving the extern "options" when platform.o
|
|
gets linked into ssh-agent when building --with-pam.
|
|
|
|
commit 78dc8e3724e30ee3e1983ce013e80277dc6ca070
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Jun 14 13:55:12 2016 +1000
|
|
|
|
Track skipped upstream commit IDs.
|
|
|
|
There are a small number of "upstream" commits that do not correspond to
|
|
a file in -portable. This file tracks those so that we can reconcile
|
|
OpenBSD and Portable to ensure that no commits are accidentally missed.
|
|
|
|
If you add something to .skipped-commit-ids please also add an upstream
|
|
ID line in the following format when you commit it.
|
|
|
|
Upstream-ID: 321065a95a7ccebdd5fd08482a1e19afbf524e35
|
|
Upstream-ID: d4f699a421504df35254cf1c6f1a7c304fb907ca
|
|
Upstream-ID: aafe246655b53b52bc32c8a24002bc262f4230f7
|
|
Upstream-ID: 8fa9cd1dee3c3339ae329cf20fb591db6d605120
|
|
Upstream-ID: f31327a48dd4103333cc53315ec53fe65ed8a17a
|
|
Upstream-ID: edbfde98c40007b7752a4ac106095e060c25c1ef
|
|
Upstream-ID: 052fd565e3ff2d8cec3bc957d1788f50c827f8e2
|
|
Upstream-ID: 7cf73737f357492776223da1c09179fa6ba74660
|
|
Upstream-ID: 180d84674be1344e45a63990d60349988187c1ae
|
|
Upstream-ID: f6ae971186ba68d066cd102e57d5b0b2c211a5ee
|
|
|
|
commit 9f919d1a3219d476d6a662d18df058e1c4f36a6f
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Jun 14 13:51:01 2016 +1000
|
|
|
|
Remove now-defunct .cvsignore files. ok djm
|
|
|
|
commit 68777faf271efb2713960605c748f6c8a4b26d55
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Jun 8 02:13:01 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Back out rev 1.28 "Check min and max sizes sent by the
|
|
client" change. It caused "key_verify failed for server_host_key" in clients
|
|
that send a DH-GEX min value less that DH_GRP_MIN, eg old OpenSSH and PuTTY.
|
|
ok djm@
|
|
|
|
Upstream-ID: 452979d3ca5c1e9dff063287ea0a5314dd091f65
|
|
|
|
commit a86ec4d0737ac5879223e7cd9d68c448df46e169
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Jun 14 10:48:27 2016 +1000
|
|
|
|
Use Solaris setpflags(__PROC_PROTECT, ...).
|
|
|
|
Where possible, use Solaris setpflags to disable process tracing on
|
|
ssh-agent and sftp-server. bz#2584, based on a patch from huieying.lee
|
|
at oracle.com, ok djm.
|
|
|
|
commit 0f916d39b039fdc0b5baf9b5ab0754c0f11ec573
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Jun 14 10:43:53 2016 +1000
|
|
|
|
Shorten prctl code a tiny bit.
|
|
|
|
commit 0fb7f5985351fbbcd2613d8485482c538e5123be
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Jun 9 16:23:07 2016 +1000
|
|
|
|
Move prctl PR_SET_DUMPABLE into platform.c.
|
|
|
|
This should make it easier to add additional platform support such as
|
|
Solaris (bz#2584).
|
|
|
|
commit e6508898c3cd838324ecfe1abd0eb8cf802e7106
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Jun 3 04:10:41 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Add a test for ssh(1)'s config file parsing.
|
|
|
|
Upstream-Regress-ID: 558b7f4dc45cc3761cc3d3e889b9f3c5bc91e601
|
|
|
|
commit ab0a536066dfa32def0bd7272c096ebb5eb25b11
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Jun 3 03:47:59 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Add 'sshd' to the test ID as I'm about to add a similar
|
|
set for ssh.
|
|
|
|
Upstream-Regress-ID: aea7a9c3bac638530165c801ce836875b228ae7a
|
|
|
|
commit a5577c1ed3ecdfe4b7b1107c526cae886fc91afb
|
|
Author: schwarze@openbsd.org <schwarze@openbsd.org>
|
|
Date: Mon May 30 12:14:08 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
stricter malloc.conf(5) options for utf8 tests
|
|
|
|
Upstream-Regress-ID: 111efe20a0fb692fa1a987f6e823310f9b25abf6
|
|
|
|
commit 75f0844b4f29d62ec3a5e166d2ee94b02df819fc
|
|
Author: schwarze@openbsd.org <schwarze@openbsd.org>
|
|
Date: Mon May 30 12:05:56 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix two rare edge cases: 1. If vasprintf() returns < 0,
|
|
do not access a NULL pointer in snmprintf(), and do not free() the pointer
|
|
returned from vasprintf() because on some systems other than OpenBSD, it
|
|
might be a bogus pointer. 2. If vasprintf() returns == 0, return 0 and ""
|
|
rather than -1 and NULL.
|
|
|
|
Besides, free(dst) is pointless after failure (not a bug).
|
|
|
|
One half OK martijn@, the other half OK deraadt@;
|
|
committing quickly before people get hurt.
|
|
|
|
Upstream-Regress-ID: b164f20923812c9bac69856dbc1385eb1522cba4
|
|
|
|
commit 016881eb33a7948028848c90f4c7ac42e3af0e87
|
|
Author: schwarze@openbsd.org <schwarze@openbsd.org>
|
|
Date: Thu May 26 19:14:25 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
test the new utf8 module
|
|
|
|
Upstream-Regress-ID: c923d05a20e84e4ef152cbec947fdc4ce6eabbe3
|
|
|
|
commit d4219028bdef448e089376f3afe81ef6079da264
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue May 3 15:30:46 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Set umask to prevent "Bad owner or permissions" errors.
|
|
|
|
Upstream-Regress-ID: 8fdf2fc4eb595ccd80c443f474d639f851145417
|
|
|
|
commit 07d5608bb237e9b3fe86a2aeaa429392230faebf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue May 3 14:41:04 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
support doas
|
|
|
|
Upstream-Regress-ID: 8d5572b27ea810394eeda432d8b4e9e1064a7c38
|
|
|
|
commit 01cabf10adc7676cba5f40536a34d3b246edb73f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue May 3 13:48:33 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
unit tests for sshbuf_dup_string()
|
|
|
|
Upstream-Regress-ID: 7521ff150dc7f20511d1c2c48fd3318e5850a96d
|
|
|
|
commit 6915f1698e3d1dd4e22eac20f435e1dfc1d46372
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Fri Jun 3 06:44:12 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
tweak previous;
|
|
|
|
Upstream-ID: 92979f1a0b63e041a0e5b08c9ed0ba9b683a3698
|
|
|
|
commit 0cb2f4c2494b115d0f346ed2d8b603ab3ba643f4
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Jun 3 04:09:38 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Allow ExitOnForwardFailure and ClearAllForwardings to be
|
|
overridden when using ssh -W (but still default to yes in that case).
|
|
bz#2577, ok djm@.
|
|
|
|
Upstream-ID: 4b20c419e93ca11a861c81c284090cfabc8c54d4
|
|
|
|
commit 8543ff3f5020fe659839b15f05b8c522bde6cee5
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Jun 3 03:14:41 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Move the host and port used by ssh -W into the Options
|
|
struct. This will make future changes a bit easier. ok djm@
|
|
|
|
Upstream-ID: 151bce5ecab2fbedf0d836250a27968d30389382
|
|
|
|
commit 6b87311d3acdc460f926b2c40f4c4f3fd345f368
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Jun 1 04:19:49 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Check min and max sizes sent by the client against what
|
|
we support before passing them to the monitor. ok djm@
|
|
|
|
Upstream-ID: 750627e8117084215412bff00a25b1586ab17ece
|
|
|
|
commit 564cd2a8926ccb1dca43a535073540935b5e0373
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue May 31 23:46:14 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Ensure that the client's proposed DH-GEX max value is at
|
|
least as big as the minimum the server will accept. ok djm@
|
|
|
|
Upstream-ID: b4b84fa04aab2de7e79a6fee4a6e1c189c0fe775
|
|
|
|
commit df820722e40309c9b3f360ea4ed47a584ed74333
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jun 6 11:36:13 2016 +1000
|
|
|
|
Add compat bits to utf8.c.
|
|
|
|
commit 05c6574652571becfe9d924226c967a3f4b3f879
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jun 6 11:33:43 2016 +1000
|
|
|
|
Fix utf->utf8 typo.
|
|
|
|
commit 6c1717190b4d5ddd729cd9e24e8ed71ed4f087ce
|
|
Author: schwarze@openbsd.org <schwarze@openbsd.org>
|
|
Date: Mon May 30 18:34:41 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Backout rev. 1.43 for now.
|
|
|
|
The function update_progress_meter() calls refresh_progress_meter()
|
|
which calls snmprintf() which calls malloc(); but update_progress_meter()
|
|
acts as the SIGALRM signal handler.
|
|
|
|
"malloc(): error: recursive call" reported by sobrado@.
|
|
|
|
Upstream-ID: aaae57989431e5239c101f8310f74ccc83aeb93e
|
|
|
|
commit cd9e1eabeb4137182200035ab6fa4522f8d24044
|
|
Author: schwarze@openbsd.org <schwarze@openbsd.org>
|
|
Date: Mon May 30 12:57:21 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Even when only writing an unescaped character, the dst
|
|
buffer may need to grow, or it would be overrun; issue found by tb@ with
|
|
malloc.conf(5) 'C'.
|
|
|
|
While here, reserve an additional byte for the terminating NUL
|
|
up front such that we don't have to realloc() later just for that.
|
|
|
|
OK tb@
|
|
|
|
Upstream-ID: 30ebcc0c097c4571b16f0a78b44969f170db0cff
|
|
|
|
commit ac284a355f8065eaef2a16f446f3c44cdd17371d
|
|
Author: schwarze@openbsd.org <schwarze@openbsd.org>
|
|
Date: Mon May 30 12:05:56 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix two rare edge cases: 1. If vasprintf() returns < 0,
|
|
do not access a NULL pointer in snmprintf(), and do not free() the pointer
|
|
returned from vasprintf() because on some systems other than OpenBSD, it
|
|
might be a bogus pointer. 2. If vasprintf() returns == 0, return 0 and ""
|
|
rather than -1 and NULL.
|
|
|
|
Besides, free(dst) is pointless after failure (not a bug).
|
|
|
|
One half OK martijn@, the other half OK deraadt@;
|
|
committing quickly before people get hurt.
|
|
|
|
Upstream-ID: b7bcd2e82fc168a8eff94e41f5db336ed986fed0
|
|
|
|
commit 0e059cdf5fd86297546c63fa8607c24059118832
|
|
Author: schwarze@openbsd.org <schwarze@openbsd.org>
|
|
Date: Wed May 25 23:48:45 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
To prevent screwing up terminal settings when printing to
|
|
the terminal, for ASCII and UTF-8, escape bytes not forming characters and
|
|
bytes forming non-printable characters with vis(3) VIS_OCTAL. For other
|
|
character sets, abort printing of the current string in these cases. In
|
|
particular, * let scp(1) respect the local user's LC_CTYPE locale(1); *
|
|
sanitize data received from the remote host; * sanitize filenames, usernames,
|
|
and similar data even locally; * take character display widths into account
|
|
for the progressmeter.
|
|
|
|
This is believed to be sufficient to keep the local terminal safe
|
|
on OpenBSD, but bad things can still happen on other systems with
|
|
state-dependent locales because many places in the code print
|
|
unencoded ASCII characters into the output stream.
|
|
|
|
Using feedback from djm@ and martijn@,
|
|
various aspects discussed with many others.
|
|
|
|
deraadt@ says it should go in now, i probably already hesitated too long
|
|
|
|
Upstream-ID: e66afbc94ee396ddcaffd433b9a3b80f387647e0
|
|
|
|
commit 8c02e3639acefe1e447e293dbe23a0917abd3734
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue May 24 04:43:45 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
KNF compression proposal and simplify the client side a
|
|
little. ok djm@
|
|
|
|
Upstream-ID: aa814b694efe9e5af8a26e4c80a05526ae6d6605
|
|
|
|
commit 7ec4946fb686813eb5f8c57397e465f5485159f4
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue May 24 02:31:57 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Back out 'plug memleak'.
|
|
|
|
Upstream-ID: 4faacdde136c24a961e24538de373660f869dbc0
|
|
|
|
commit 82f24c3ddc52053aeb7beb3332fa94c92014b0c5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon May 23 23:30:50 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
prefer agent-hosted keys to keys from PKCS#11; ok markus
|
|
|
|
Upstream-ID: 7417f7653d58d6306d9f8c08d0263d050e2fd8f4
|
|
|
|
commit a0cb7778fbc9b43458f7072eb68dd858766384d1
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon May 23 00:17:27 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Plug mem leak in filter_proposal. ok djm@
|
|
|
|
Upstream-ID: bf968da7cfcea2a41902832e7d548356a4e2af34
|
|
|
|
commit ae9c0d4d5c581b3040d1f16b5c5f4b1cd1616743
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jun 3 16:03:44 2016 +1000
|
|
|
|
Update vis.h and vis.c from OpenBSD.
|
|
|
|
This will be needed for the upcoming utf8 changes.
|
|
|
|
commit e1d93705f8f48f519433d6ca9fc3d0abe92a1b77
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Tue May 31 11:13:22 2016 -0700
|
|
|
|
modified: configure.ac
|
|
whitspace clean up. No code changes.
|
|
|
|
commit 604a037d84e41e31f0aec9075df0b8740c130200
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue May 31 16:45:28 2016 +1000
|
|
|
|
whitespace at EOL
|
|
|
|
commit 18424200160ff5c923113e0a37ebe21ab7bcd17c
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon May 30 19:35:28 2016 +1000
|
|
|
|
Add missing ssh-host-config --name option
|
|
|
|
Patch from vinschen@redhat.com.
|
|
|
|
commit 39c0cecaa188a37a2e134795caa68e03f3ced592
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri May 20 10:01:58 2016 +1000
|
|
|
|
Fix comment about sshpam_const and AIX.
|
|
|
|
From mschwager via github.
|
|
|
|
commit f64062b1f74ad5ee20a8a49aab2732efd0f7ce30
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri May 20 09:56:53 2016 +1000
|
|
|
|
Deny lstat syscalls in seccomp sandbox
|
|
|
|
Avoids sandbox violations for some krb/gssapi libraries.
|
|
|
|
commit 531c135409b8d8810795b1f3692a4ebfd5c9cae0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 19 07:45:32 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix type of ed25519 values
|
|
|
|
Upstream-ID: b32d0cb372bbe918ca2de56906901eae225a59b0
|
|
|
|
commit 75e21688f523799c9e0cc6601d76a9c5ca79f787
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed May 4 14:32:26 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
add IdentityAgent; noticed & ok jmc@
|
|
|
|
Upstream-ID: 4ba9034b00a4cf1beae627f0728da897802df88a
|
|
|
|
commit 1a75d14daf4b60db903e6103cf50e74e0cd0a76b
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed May 4 14:29:58 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
allow setting IdentityAgent to SSH_AUTH_SOCK; ok djm@
|
|
|
|
Upstream-ID: 20c508480d8db3eef18942c0fc39b1fcf25652ac
|
|
|
|
commit 0516454151ae722fc8256c3c56115c6baf24c5b0
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed May 4 14:22:33 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
move SSH_MSG_NONE, so we don't have to include ssh1.h;
|
|
ok deraadt@
|
|
|
|
Upstream-ID: c2f97502efc761a41b18c17ddf460e138ca7994e
|
|
|
|
commit 332ff3d770631e7513fea38cf0d3689f673f0e3f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue May 10 09:51:06 2016 +1000
|
|
|
|
initialise salen in binresvport_sa
|
|
|
|
avoids failures with UsePrivilegedPort=yes
|
|
|
|
patch from Juan Gallego
|
|
|
|
commit c5c1d5d2f04ce00d2ddd6647e61b32f28be39804
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed May 4 14:04:40 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
missing const in prototypes (ssh1)
|
|
|
|
Upstream-ID: 789c6ad4928b5fa557369b88c3a6a34926082c05
|
|
|
|
commit 9faae50e2e82ba42eb0cb2726bf6830fe7948f28
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed May 4 14:00:09 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix inverted logic for updating StreamLocalBindMask which
|
|
would cause the server to set an invalid mask. ok djm@
|
|
|
|
Upstream-ID: 8a4404c8307a5ef9e07ee2169fc6d8106b527587
|
|
|
|
commit b02ad1ce9105bfa7394ac7590c0729dd52e26a81
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed May 4 12:21:53 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
IdentityAgent for specifying specific agent sockets; ok
|
|
djm@
|
|
|
|
Upstream-ID: 3e6a15eb89ea0fd406f108826b7dc7dec4fbfac1
|
|
|
|
commit 910e59bba09ac309d78ce61e356da35292212935
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed May 4 12:16:39 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix junk characters after quotes
|
|
|
|
Upstream-ID: cc4d0cd32cb6b55a2ef98975d2f7ae857d0dc578
|
|
|
|
commit 9283884e647b8be50ccd2997537af0065672107d
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Tue May 3 18:38:12 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
correct article;
|
|
|
|
Upstream-ID: 1fbd5b7ab16d2d9834ec79c3cedd4738fa42a168
|
|
|
|
commit cfefbcea1057c2623e76c579174a4107a0b6e6cd
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue May 3 15:57:39 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix overriding of StreamLocalBindMask and
|
|
StreamLocalBindUnlink in Match blocks; found the hard way Rogan Dawes
|
|
|
|
Upstream-ID: 940bc69ec0249ab428d24ccd0722ce35cb932ee2
|
|
|
|
commit 771c2f51ffc0c9a2877b7892fada0c77bd1f6549
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue May 3 15:25:06 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
don't forget to include StreamLocalBindUnlink in the
|
|
config dump output
|
|
|
|
Upstream-ID: 14a6d970b3b45c8e94272e3c661e9a0b2a0ee7cb
|
|
|
|
commit cdcd941994dc430f50d0a4e6a712d32b66e6199e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue May 3 14:54:08 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
make nethack^wrandomart fingerprint flag more readily
|
|
searchable pointed out by Matt Johnston
|
|
|
|
Upstream-ID: cb40d0235dc153c478c1aad3bc60b195422a54fb
|
|
|
|
commit 05855bf2ce7d5cd0a6db18bc0b4214ed5ef7516d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue May 3 13:10:24 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
clarify ordering of subkeys; pointed out by ietf-ssh AT
|
|
stbuehler.de
|
|
|
|
Upstream-ID: 05ebe9f949449a555ebce8e0aad7c8c9acaf8463
|
|
|
|
commit cca3b4395807bfb7aaeb83d2838f5c062ce30566
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue May 3 12:15:49 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Use a subshell for constructing key types to work around
|
|
different sed behaviours for -portable.
|
|
|
|
Upstream-Regress-ID: 0f6eb673162df229eda9a134a0f10da16151552d
|
|
|
|
commit fa58208c6502dcce3e0daac0ca991ee657daf1f5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue May 3 10:27:59 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
correct some typos and remove a long-stale XXX note.
|
|
|
|
add specification for ed25519 certificates
|
|
|
|
mention no host certificate options/extensions are currently defined
|
|
|
|
pointed out by Simon Tatham
|
|
|
|
Upstream-ID: 7b535ab7dba3340b7d8210ede6791fdaefdf839a
|
|
|
|
commit b466f956c32cbaff4200bfcd5db6739fe4bc7d04
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue May 3 10:24:27 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
add ed25519 keys that are supported but missing from this
|
|
documents; from Peter Moody
|
|
|
|
Upstream-ID: 8caac2d8e8cfd2fca6dc304877346e0a064b014b
|
|
|
|
commit 7f3d76319a69dab2efe3a520a8fef5b97e923636
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue May 3 09:03:49 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Implement IUTF8 as per draft-sgtatham-secsh-iutf8-00. Patch
|
|
from Simon Tatham, ok markus@
|
|
|
|
Upstream-ID: 58268ebdf37d9d467f78216c681705a5e10c58e8
|
|
|
|
commit 31bc01c05d9f51bee3ebe33dc57c4fafb059fb62
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon May 2 14:10:58 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
unbreak config parsing on reexec from previous commit
|
|
|
|
Upstream-ID: bc69932638a291770955bd05ca55a32660a613ab
|
|
|
|
commit 67f1459efd2e85bf03d032539283fa8107218936
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon May 2 09:52:00 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
unit and regress tests for SHA256/512; ok markus
|
|
|
|
Upstream-Regress-ID: a0cd1a92dc824067076a5fcef83c18df9b0bf2c6
|
|
|
|
commit 0e8eeec8e75f6d0eaf33317376f773160018a9c7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon May 2 10:26:04 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
add support for additional fixed DH groups from
|
|
draft-ietf-curdle-ssh-kex-sha2-03
|
|
|
|
diffie-hellman-group14-sha256 (2K group)
|
|
diffie-hellman-group16-sha512 (4K group)
|
|
diffie-hellman-group18-sha512 (8K group)
|
|
|
|
based on patch from Mark D. Baushke and Darren Tucker
|
|
ok markus@
|
|
|
|
Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
|
|
|
|
commit 57464e3934ba53ad8590ee3ccd840f693407fc1e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon May 2 09:36:42 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
support SHA256 and SHA512 RSA signatures in certificates;
|
|
ok markus@
|
|
|
|
Upstream-ID: b45be2f2ce8cacd794dc5730edaabc90e5eb434a
|
|
|
|
commit 1a31d02b2411c4718de58ce796dbb7b5e14db93e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon May 2 08:49:03 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix signed/unsigned errors reported by clang-3.7; add
|
|
sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with
|
|
better safety checking; feedback and ok markus@
|
|
|
|
Upstream-ID: 71f926d9bb3f1efed51319a6daf37e93d57c8820
|
|
|
|
commit d2d6bf864e52af8491a60dd507f85b74361f5da3
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 29 08:07:53 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
close ControlPersist background process stderr when not
|
|
in debug mode or when logging to a file or syslog. bz#1988 ok dtucker
|
|
|
|
Upstream-ID: 4fb726f0fdcb155ad419913cea10dc4afd409d24
|
|
|
|
commit 9ee692fa1146e887e008a2b9a3d3ea81770c9fc8
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Apr 28 14:30:21 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix comment
|
|
|
|
Upstream-ID: 313a385bd7b69a82f8e28ecbaf5789c774457b15
|
|
|
|
commit ee1e0a16ff2ba41a4d203c7670b54644b6c57fa6
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Wed Apr 27 13:53:48 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
cidr permitted for {allow,deny}users; from lars nooden ok djm
|
|
|
|
Upstream-ID: 13e7327fe85f6c63f3f7f069e0fdc8c351515d11
|
|
|
|
commit b6e0140a5aa883c27b98415bd8aa9f65fc04ee22
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Apr 21 06:08:02 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
make argument == NULL tests more consistent
|
|
|
|
Upstream-ID: dc4816678704aa5cbda3a702e0fa2033ff04581d
|
|
|
|
commit 6aaabc2b610e44bae473457ad9556ffb43d90ee3
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Sun Apr 17 14:34:46 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
tweak previous;
|
|
|
|
Upstream-ID: 46c1bab91c164078edbccd5f7d06b9058edd814f
|
|
|
|
commit 0f839e5969efa3bda615991be8a9d9311554c573
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 15 02:57:10 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
missing bit of Include regress
|
|
|
|
Upstream-Regress-ID: 1063595f7f40f8489a1b7a27230b9e8acccea34f
|
|
|
|
commit 12e4ac46aed681da55c2bba3cd11dfcab23591be
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 15 02:55:53 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
remove redundant CLEANFILES section
|
|
|
|
Upstream-Regress-ID: 29ef1b267fa56daa60a1463396635e7d53afb587
|
|
|
|
commit b1d05aa653ae560c44baf8e8a9756e33f98ea75c
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 15 00:48:01 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
sync CLEANFILES with portable, sort
|
|
|
|
Upstream-Regress-ID: cb782f4f1ab3e079efbc335c6b64942f790766ed
|
|
|
|
commit 35f22dad263cce5c61d933ae439998cb965b8748
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 15 00:31:10 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
regression test for ssh_config Include directive
|
|
|
|
Upstream-Regress-ID: 46a38c8101f635461c506d1aac2d96af80f97f1e
|
|
|
|
commit 6b8a1a87005818d4700ce8b42faef746e82c1f51
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Apr 14 23:57:17 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
unbreak test for recent ssh de-duplicated forwarding
|
|
change
|
|
|
|
Upstream-Regress-ID: 6b2b115d99acd7cff13986e6739ea214cf2a3da3
|
|
|
|
commit 076787702418985a2cc6808212dc28ce7afc01f0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Apr 14 23:21:42 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
add test knob and warning for StrictModes
|
|
|
|
Upstream-Regress-ID: 8cd10952ce7898655ee58945904f2a0a3bdf7682
|
|
|
|
commit dc7990be865450574c7940c9880567f5d2555b37
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 15 00:30:19 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Include directive for ssh_config(5); feedback & ok markus@
|
|
|
|
Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
|
|
|
|
commit 85bdcd7c92fe7ff133bbc4e10a65c91810f88755
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Apr 13 10:39:57 2016 +1000
|
|
|
|
ignore PAM environment vars when UseLogin=yes
|
|
|
|
If PAM is configured to read user-specified environment variables
|
|
and UseLogin=yes in sshd_config, then a hostile local user may
|
|
attack /bin/login via LD_PRELOAD or similar environment variables
|
|
set via PAM.
|
|
|
|
CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
|
|
|
|
commit dce19bf6e4a2a3d0b13a81224de63fc316461ab9
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Apr 9 12:39:30 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
make private key loading functions consistently handle NULL
|
|
key pointer arguments; ok markus@
|
|
|
|
Upstream-ID: 92038726ef4a338169c35dacc9c5a07fcc7fa761
|
|
|
|
commit 5f41f030e2feb5295657285aa8c6602c7810bc4b
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Apr 8 21:14:13 2016 +1000
|
|
|
|
Remove NO_IPPORT_RESERVED_CONCEPT
|
|
|
|
Replace by defining IPPORT_RESERVED to zero on Cygwin, which should have
|
|
the same effect without causing problems syncing patches with OpenBSD.
|
|
Resync the two affected functions with OpenBSD. ok djm, sanity checked
|
|
by Corinna.
|
|
|
|
commit 34a01b2cf737d946ddb140618e28c3048ab7a229
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 8 08:19:17 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
whitespace at EOL
|
|
|
|
Upstream-ID: 5beffd4e001515da12851b974e2323ae4aa313b6
|
|
|
|
commit 90ee563fa6b54c59896c6c332c5188f866c5e75f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 8 06:35:54 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
We accidentally send an empty string and a zero uint32 with
|
|
every direct-streamlocal@openssh.com channel open, in contravention of our
|
|
own spec.
|
|
|
|
Fixing this is too hard wrt existing versions that expect these
|
|
fields to be present and fatal() if they aren't, so document them
|
|
as "reserved" fields in the PROTOCOL spec as though we always
|
|
intended this and let us never speak of it again.
|
|
|
|
bz#2529, reported by Ron Frederick
|
|
|
|
Upstream-ID: 34cd326a4d236ca6e39084c4ff796bd97ab833e7
|
|
|
|
commit 0ccbd5eca0f0dd78e71a4b69c66f03a66908d558
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Apr 6 06:42:17 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
don't record duplicate LocalForward and RemoteForward
|
|
entries; fixes failure with ExitOnForwardFailure+hostname canonicalisation
|
|
where the same forwards are added on the second pass through the
|
|
configuration file. bz#2562; ok dtucker@
|
|
|
|
Upstream-ID: 40a51d68b6300f1cc61deecdb7d4847b8b7b0de1
|
|
|
|
commit 574def0eb493cd6efeffd4ff2e9257abcffee0c8
|
|
Author: krw@openbsd.org <krw@openbsd.org>
|
|
Date: Sat Apr 2 14:37:42 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Another use for fcntl() and thus of the superfluous 3rd
|
|
parameter is when sanitising standard fd's before calling daemon().
|
|
|
|
Use a tweaked version of the ssh(1) function in all three places
|
|
found using fcntl() this way.
|
|
|
|
ok jca@ beck@
|
|
|
|
Upstream-ID: f16811ffa19a1c5f4ef383c5f0fecb843c84e218
|
|
|
|
commit b3413534aa9d71a941005df2760d1eec2c2b0854
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Apr 4 11:09:21 2016 +1000
|
|
|
|
Tidy up openssl header test.
|
|
|
|
commit 815bcac0b94bb448de5acdd6ba925b8725240b4f
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Apr 4 11:07:59 2016 +1000
|
|
|
|
Fix configure-time warnings for openssl test.
|
|
|
|
commit 95687f5831ae680f7959446d8ae4b52452ee05dd
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 1 02:34:10 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
whitespace at EOL
|
|
|
|
Upstream-ID: 40ae2203d07cb14e0a89e1a0d4c6120ee8fd8c3a
|
|
|
|
commit fdfbf4580de09d84a974211715e14f88a5704b8e
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Mar 31 05:24:06 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Remove fallback from moduli to "primes" file that was
|
|
deprecated in 2001 and fix log messages referring to primes file. Based on
|
|
patch from xnox at ubuntu.com via bz#2559. "kill it" deraadt@
|
|
|
|
Upstream-ID: 0d4f8c70e2fa7431a83b95f8ca81033147ba8713
|
|
|
|
commit 0235a5fa67fcac51adb564cba69011a535f86f6b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Mar 17 17:19:43 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
UseDNS affects ssh hostname processing in authorized_keys,
|
|
not known_hosts; bz#2554 reported by jjelen AT redhat.com
|
|
|
|
Upstream-ID: c1c1bb895dde46095fc6d81d8653703928437591
|
|
|
|
commit 8c4739338f5e379d05b19d6e544540114965f07e
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Mar 15 09:24:43 2016 +1100
|
|
|
|
Don't call Solaris setproject() with UsePAM=yes.
|
|
|
|
When Solaris Projects are enabled along with PAM setting the project
|
|
is PAM's responsiblity. bz#2425, based on patch from
|
|
brent.paulson at gmail.com.
|
|
|
|
commit cff26f373c58457a32cb263e212cfff53fca987b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Mar 15 04:30:21 2016 +1100
|
|
|
|
remove slogin from *.spec
|
|
|
|
commit c38905ba391434834da86abfc988a2b8b9b62477
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Mar 14 16:20:54 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
unbreak authentication using lone certificate keys in
|
|
ssh-agent: when attempting pubkey auth with a certificate, if no separate
|
|
private key is found among the keys then try with the certificate key itself.
|
|
|
|
bz#2550 reported by Peter Moody
|
|
|
|
Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966
|
|
|
|
commit 4b4bfb01cd40b9ddb948e6026ddd287cc303d871
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Mar 10 11:47:57 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
sanitise characters destined for xauth reported by
|
|
github.com/tintinweb feedback and ok deraadt and markus
|
|
|
|
Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
|
|
|
|
commit 732b463d37221722b1206f43aa59563766a6a968
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Mar 14 16:04:23 2016 +1100
|
|
|
|
Pass supported malloc options to connect-privsep.
|
|
|
|
This allows us to activate only the supported options during the malloc
|
|
option portion of the connect-privsep test.
|
|
|
|
commit d29c5b9b3e9f27394ca97a364ed4bb4a55a59744
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Mar 14 09:30:58 2016 +1100
|
|
|
|
Remove leftover roaming.h file.
|
|
|
|
Pointed out by des at des.no.
|
|
|
|
commit 8ff20ec95f4377021ed5e9b2331320f5c5a34cea
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Mar 14 09:24:03 2016 +1100
|
|
|
|
Quote variables that may contain whitespace.
|
|
|
|
The variable $L_TMP_ID_FILE needs to be surrounded by quotes in order to
|
|
survive paths containing whitespace. bz#2551, from Corinna Vinschen via
|
|
Philip Hands.
|
|
|
|
commit 627824480c01f0b24541842c7206ab9009644d02
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Mar 11 14:47:41 2016 +1100
|
|
|
|
Include priv.h for priv_set_t.
|
|
|
|
From alex at cooperi.net.
|
|
|
|
commit e960051f9a264f682c4d2fefbeecffcfc66b0ddf
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Mar 9 13:14:18 2016 +1100
|
|
|
|
Wrap stdint.h inside #ifdef HAVE_STDINT_H.
|
|
|
|
commit 2c48bd344d2c4b5e08dae9aea5ff44fc19a5e363
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Mar 9 12:46:50 2016 +1100
|
|
|
|
Add compat to monotime_double().
|
|
|
|
Apply all of the portability changes in monotime() to monotime() double.
|
|
Fixes build on at least older FreeBSD systems.
|
|
|
|
commit 7b40ef6c2eef40c339f6ea8920cb8a44838e10c9
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Mar 8 14:12:58 2016 -0800
|
|
|
|
make a regress-binaries target
|
|
|
|
Easier to build all the regression/unit test binaries in one pass
|
|
than going through all of ${REGRESS_BINARIES}
|
|
|
|
commit c425494d6b6181beb54a1b3763ef9e944fd3c214
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Mar 8 14:03:54 2016 -0800
|
|
|
|
unbreak kexfuzz for -Werror without __bounded__
|
|
|
|
commit 3ed9218c336607846563daea5d5ab4f701f4e042
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Mar 8 14:01:29 2016 -0800
|
|
|
|
unbreak PAM after canohost refactor
|
|
|
|
commit 885fb2a44ff694f01e4f6470f803629e11f62961
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Mar 8 11:58:43 2016 +1100
|
|
|
|
auth_get_canonical_hostname in portable code.
|
|
|
|
"refactor canohost.c" replaced get_canonical_hostname, this makes the
|
|
same change to some portable-specific code.
|
|
|
|
commit 95767262caa6692eff1e1565be1f5cb297949a89
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Mar 7 19:02:43 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
refactor canohost.c: move functions that cache results closer
|
|
to the places that use them (authn and session code). After this, no state is
|
|
cached in canohost.c
|
|
|
|
feedback and ok markus@
|
|
|
|
Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
|
|
|
|
commit af0bb38ffd1f2c4f9f43b0029be2efe922815255
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Mar 4 15:11:55 2016 +1100
|
|
|
|
hook unittests/misc/kexfuzz into build
|
|
|
|
commit 331b8e07ee5bcbdca12c11cc8f51a7e8de09b248
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Mar 4 02:48:06 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Filter debug messages out of log before picking the last
|
|
two lines. Should prevent problems if any more debug output is added late in
|
|
the connection.
|
|
|
|
Upstream-Regress-ID: 345d0a9589c381e7d640a4ead06cfaadf4db1363
|
|
|
|
commit 0892edaa3ce623381d3a7635544cbc69b31cf9cb
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Mar 4 02:30:36 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
add KEX fuzzer harness; ok deraadt@
|
|
|
|
Upstream-Regress-ID: 3df5242d30551b12b828aa9ba4a4cec0846be8d1
|
|
|
|
commit ae2562c47d41b68dbb00240fd6dd60bed205367a
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Mar 3 00:46:53 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Look back 3 lines for possible error messages. Changes
|
|
to the code mean that "Bad packet length" errors are 3 lines back instead of
|
|
the previous two, which meant we didn't skip some offsets that we intended
|
|
to.
|
|
|
|
Upstream-Regress-ID: 24f36912740a634d509a3144ebc8eb7c09b9c684
|
|
|
|
commit 988e429d903acfb298bfddfd75e7994327adfed0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Mar 4 03:35:44 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix ClientAliveInterval when a time-based RekeyLimit is
|
|
set; previously keepalive packets were not being sent. bz#2252 report and
|
|
analysis by Christian Wittenhorst and Garrett Lee feedback and ok dtucker@
|
|
|
|
Upstream-ID: d48f9deadd35fdacdd5106b41bb07630ddd4aa81
|
|
|
|
commit 8ef04d7a94bcdb8b0085fdd2a79a844b7d40792d
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Mar 2 22:43:52 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Improve accuracy of reported transfer speeds by waiting
|
|
for the ack from the other end. Pointed out by mmcc@, ok deraadt@ markus@
|
|
|
|
Upstream-ID: 99f1cf15c9a8f161086b814d414d862795ae153d
|
|
|
|
commit b8d4eafe29684fe4f5bb587f7eab948e6ed62723
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Mar 2 22:42:40 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Improve precision of progressmeter for sftp and scp by
|
|
storing sub-second timestamps. Pointed out by mmcc@, ok deraadt@ markus@
|
|
|
|
Upstream-ID: 38fd83a3d83dbf81c8ff7b5d1302382fe54970ab
|
|
|
|
commit 18f64b969c70ed00e74b9d8e50359dbe698ce4c0
|
|
Author: jca@openbsd.org <jca@openbsd.org>
|
|
Date: Mon Feb 29 20:22:36 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Print ssize_t with %zd; ok deraadt@ mmcc@
|
|
|
|
Upstream-ID: 0590313bbb013ff6692298c98f7e0be349d124bd
|
|
|
|
commit 6e7f68ce38130c794ec1fb8d2a6091fbe982628d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Feb 28 22:27:00 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
rearrange DH public value tests to be a little more clear
|
|
|
|
rearrange DH private value generation to explain rationale more
|
|
clearly and include an extra sanity check.
|
|
|
|
ok deraadt
|
|
|
|
Upstream-ID: 9ad8a07e1a12684e1b329f9bd88941b249d4b2ad
|
|
|
|
commit 2ed17aa34008bdfc8db674315adc425a0712be11
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Mar 1 15:24:20 2016 +1100
|
|
|
|
Import updated moduli file from OpenBSD.
|
|
|
|
Note that 1.5k bit groups have been removed.
|
|
|
|
commit 72b061d4ba0f909501c595d709ea76e06b01e5c9
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Feb 26 14:40:04 2016 +1100
|
|
|
|
Add a note about using xlc on AIX.
|
|
|
|
commit fd4e4f2416baa2e6565ea49d52aade296bad3e28
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Feb 24 10:44:25 2016 +1100
|
|
|
|
Skip PrintLastLog in config dump mode.
|
|
|
|
When DISABLE_LASTLOG is set, do not try to include PrintLastLog in the
|
|
config dump since it'll be reported as UNKNOWN.
|
|
|
|
commit 99135c764fa250801da5ec3b8d06cbd0111caae8
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 23 20:17:23 2016 +1100
|
|
|
|
update spec/README versions ahead of release
|
|
|
|
commit b86a334aaaa4d1e643eb1fd71f718573d6d948b5
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 23 20:16:53 2016 +1100
|
|
|
|
put back portable patchlevel to p1
|
|
|
|
commit 555dd35ff176847e3c6bd068ba2e8db4022eb24f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Feb 23 09:14:34 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
openssh-7.2
|
|
|
|
Upstream-ID: 9db776b26014147fc907ece8460ef2bcb0f11e78
|
|
|
|
commit 1acc058d0a7913838c830ed998a1a1fb5b7864bf
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 23 16:12:13 2016 +1100
|
|
|
|
Disable tests where fs perms are incorrect
|
|
|
|
Some tests have strict requirements on the filesystem permissions
|
|
for certain files and directories. This adds a regress/check-perm
|
|
tool that copies the relevant logic from sshd to exactly test
|
|
the paths in question. This lets us skip tests when the local
|
|
filesystem doesn't conform to our expectations rather than
|
|
continuing and failing the test run.
|
|
|
|
ok dtucker@
|
|
|
|
commit 39f303b1f36d934d8410b05625f25c7bcb75db4d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 23 12:56:59 2016 +1100
|
|
|
|
fix sandbox on OSX Lion
|
|
|
|
sshd was failing with:
|
|
|
|
ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261):cw
|
|
image not found [preauth]
|
|
|
|
caused by chroot before sandboxing. Avoid by explicitly linking libsandbox
|
|
to sshd. Spotted by Darren.
|
|
|
|
commit 0d1451a32c7436e6d3d482351e776bc5e7824ce4
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Feb 23 01:34:14 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix spurious error message when incorrect passphrase
|
|
entered for keys; reported by espie@ ok deraadt@
|
|
|
|
Upstream-ID: 58b2e46e63ed6912ed1ee780bd3bd8560f9a5899
|
|
|
|
commit 09d87d79741beb85768b5e788d7dfdf4bc3543dc
|
|
Author: sobrado@openbsd.org <sobrado@openbsd.org>
|
|
Date: Sat Feb 20 23:06:23 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
set ssh(1) protocol version to 2 only.
|
|
|
|
ok djm@
|
|
|
|
Upstream-ID: e168daf9d27d7e392e3c9923826bd8e87b2b3a10
|
|
|
|
commit 9262e07826ba5eebf8423f7ac9e47ec488c47869
|
|
Author: sobrado@openbsd.org <sobrado@openbsd.org>
|
|
Date: Sat Feb 20 23:02:39 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
add missing ~/.ssh/id_ecdsa and ~/.ssh/id_ed25519 to
|
|
IdentityFile.
|
|
|
|
ok djm@
|
|
|
|
Upstream-ID: 6ce99466312e4ae7708017c3665e3edb976f70cf
|
|
|
|
commit c12f0fdce8f985fca8d71829fd64c5b89dc777f5
|
|
Author: sobrado@openbsd.org <sobrado@openbsd.org>
|
|
Date: Sat Feb 20 23:01:46 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
AddressFamily defaults to any.
|
|
|
|
ok djm@
|
|
|
|
Upstream-ID: 0d94aa06a4b889bf57a7f631c45ba36d24c13e0c
|
|
|
|
commit 907091acb188b1057d50c2158f74c3ecf1c2302b
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Feb 19 09:05:39 2016 +1100
|
|
|
|
Make Solaris privs code build on older systems.
|
|
|
|
Not all systems with Solaris privs have priv_basicset so factor that
|
|
out and provide backward compatibility code. Similarly, not all have
|
|
PRIV_NET_ACCESS so wrap that in #ifdef. Based on code from
|
|
alex at cooperi.net and djm@ with help from carson at taltos.org and
|
|
wieland at purdue.edu.
|
|
|
|
commit 292a8dee14e5e67dcd1b49ba5c7b9023e8420d59
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Feb 17 22:20:14 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
rekey refactor broke SSH1; spotted by Tom G. Christensen
|
|
|
|
Upstream-ID: 43f0d57928cc077c949af0bfa71ef574dcb58243
|
|
|
|
commit 3a13cb543df9919aec2fc6b75f3dd3802facaeca
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Feb 17 08:57:34 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly
|
|
in *KeyTypes options yet. Remove them from the lists of algorithms for now.
|
|
committing on behalf of markus@ ok djm@
|
|
|
|
Upstream-ID: c6e8820eb8e610ac21551832c0c89684a9a51bb7
|
|
|
|
commit a685ae8d1c24fb7c712c55a4f3280ee76f5f1e4b
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Wed Feb 17 07:38:19 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
since these pages now clearly tell folks to avoid v1,
|
|
normalise the docs from a v2 perspective (i.e. stop pointing out which bits
|
|
are v2 only);
|
|
|
|
ok/tweaks djm ok markus
|
|
|
|
Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
|
|
|
|
commit c5c3f3279a0e4044b8de71b70d3570d692d0f29d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Feb 17 05:29:04 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
make sandboxed privilege separation the default, not just
|
|
for new installs; "absolutely" deraadt@
|
|
|
|
Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b
|
|
|
|
commit eb3f7337a651aa01d5dec019025e6cdc124ed081
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Tue Feb 16 07:47:54 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
no need to state that protocol 2 is the default twice;
|
|
|
|
Upstream-ID: b1e4c36b0c2e12e338e5b66e2978f2ac953b95eb
|
|
|
|
commit e7901efa9b24e5b0c7e74f2c5520d47eead4d005
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Feb 16 05:11:04 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Replace list of ciphers and MACs adjacent to -1/-2 flag
|
|
descriptions in ssh(1) with a strong recommendation not to use protocol 1.
|
|
Add a similar warning to the Protocol option descriptions in ssh_config(5)
|
|
and sshd_config(5);
|
|
|
|
prompted by and ok mmcc@
|
|
|
|
Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
|
|
|
|
commit 5a0fcb77287342e2fc2ba1cee79b6af108973dc2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Feb 16 03:37:48 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
add a "Close session" log entry (at loglevel=verbose) to
|
|
correspond to the existing "Starting session" one. Also include the session
|
|
id number to make multiplexed sessions more apparent.
|
|
|
|
feedback and ok dtucker@
|
|
|
|
Upstream-ID: e72d2ac080e02774376325136e532cb24c2e617c
|
|
|
|
commit 624fd395b559820705171f460dd33d67743d13d6
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Feb 17 02:24:17 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
include bad $SSH_CONNECTION in failure output
|
|
|
|
Upstream-Regress-ID: b22d72edfde78c403aaec2b9c9753ef633cc0529
|
|
|
|
commit 60d860e54b4f199e5e89963b1c086981309753cb
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Feb 17 13:37:09 2016 +1100
|
|
|
|
Rollback addition of va_start.
|
|
|
|
va_start was added in 0f754e29dd3760fc0b172c1220f18b753fb0957e, however
|
|
it has the wrong number of args and it's not usable in non-variadic
|
|
functions anyway so it breaks things (for example Solaris 2.6 as
|
|
reported by Tom G. Christensen).i ok djm@
|
|
|
|
commit 2fee909c3cee2472a98b26eb82696297b81e0d38
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Feb 17 09:48:15 2016 +1100
|
|
|
|
Look for gethostbyname in libresolv and libnsl.
|
|
|
|
Should fix build problem on Solaris 2.6 reported by Tom G. Christensen.
|
|
|
|
commit 5ac712d81a84396aab441a272ec429af5b738302
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 16 10:45:02 2016 +1100
|
|
|
|
make existing ssh_malloc_init only for __OpenBSD__
|
|
|
|
commit 24c9bded569d9f2449ded73f92fb6d12db7a9eec
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 15 23:32:37 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
memleak of algorithm name in mm_answer_sign; reported by
|
|
Jakub Jelen
|
|
|
|
Upstream-ID: ccd742cd25952240ebd23d7d4d6b605862584d08
|
|
|
|
commit ffb1e7e896139a42ceb78676f637658f44612411
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon Feb 15 09:47:49 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Add a function to enable security-related malloc_options.
|
|
With and ok deraadt@, something similar has been in the snaps for a while.
|
|
|
|
Upstream-ID: 43a95523b832b7f3b943d2908662191110c380ed
|
|
|
|
commit ef39e8c0497ff0564990a4f9e8b7338b3ba3507c
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 16 10:34:39 2016 +1100
|
|
|
|
sync ssh-copy-id with upstream 783ef08b0a75
|
|
|
|
commit d2d772f55b19bb0e8d03c2fe1b9bb176d9779efd
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Feb 12 00:20:30 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
avoid fatal() for PKCS11 tokens that present empty key IDs
|
|
bz#1773, ok markus@
|
|
|
|
Upstream-ID: 044a764fee526f2c4a9d530bd10695422d01fc54
|
|
|
|
commit e4c918a6c721410792b287c9fd21356a1bed5805
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Feb 11 02:56:32 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
sync crypto algorithm lists in ssh_config(5) and
|
|
sshd_config(5) with current reality. bz#2527
|
|
|
|
Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6
|
|
|
|
commit e30cabfa4ab456a30b3224f7f545f1bdfc4a2517
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Feb 11 02:21:34 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fix regression in openssh-6.8 sftp client: existing
|
|
destination directories would incorrectly terminate recursive uploads;
|
|
bz#2528
|
|
|
|
Upstream-ID: 3306be469f41f26758e3d447987ac6d662623e18
|
|
|
|
commit 714e367226ded4dc3897078be48b961637350b05
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Feb 9 05:30:04 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
turn off more old crypto in the client: hmac-md5, ripemd,
|
|
truncated HMACs, RC4, blowfish. ok markus@ dtucker@
|
|
|
|
Upstream-ID: 96aa11c2c082be45267a690c12f1d2aae6acd46e
|
|
|
|
commit 5a622844ff7f78dcb75e223399f9ef0977e8d0a3
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 8 23:40:12 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
don't attempt to percent_expand() already-canonicalised
|
|
addresses, avoiding unnecessary failures when attempting to connect to scoped
|
|
IPv6 addresses (that naturally contain '%' characters)
|
|
|
|
Upstream-ID: f24569cffa1a7cbde5f08dc739a72f4d78aa5c6a
|
|
|
|
commit 19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 8 10:57:07 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
refactor activation of rekeying
|
|
|
|
This makes automatic rekeying internal to the packet code (previously
|
|
the server and client loops needed to assist). In doing to it makes
|
|
application of rekey limits more accurate by accounting for packets
|
|
about to be sent as well as packets queued during rekeying events
|
|
themselves.
|
|
|
|
Based on a patch from dtucker@ which was in turn based on a patch
|
|
Aleksander Adamowski in bz#2521; ok markus@
|
|
|
|
Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8
|
|
|
|
commit 603ba41179e4b53951c7b90ee95b6ef3faa3f15d
|
|
Author: naddy@openbsd.org <naddy@openbsd.org>
|
|
Date: Fri Feb 5 13:28:19 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Only check errno if read() has returned an error. EOF is
|
|
not an error. This fixes a problem where the mux master would sporadically
|
|
fail to notice that the client had exited. ok mikeb@ djm@
|
|
|
|
Upstream-ID: 3c2dadc21fac6ef64665688aac8a75fffd57ae53
|
|
|
|
commit 56d7dac790693ce420d225119283bc355cff9185
|
|
Author: jsg@openbsd.org <jsg@openbsd.org>
|
|
Date: Fri Feb 5 04:31:21 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
avoid an uninitialised value when NumberOfPasswordPrompts
|
|
is 0 ok markus@ djm@
|
|
|
|
Upstream-ID: 11b068d83c2865343aeb46acf1e9eec00f829b6b
|
|
|
|
commit deae7d52d59c5019c528f977360d87fdda15d20b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Feb 5 03:07:06 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
mention internal DH-GEX fallback groups; bz#2302
|
|
|
|
Upstream-ID: e7b395fcca3122cd825515f45a2e41c9a157e09e
|
|
|
|
commit cac3b6665f884d46192c0dc98a64112e8b11a766
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Feb 5 02:37:56 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
better description for MaxSessions; bz#2531
|
|
|
|
Upstream-ID: e2c0d74ee185cd1a3e9d4ca1f1b939b745b354da
|
|
|
|
commit 5ef4b0fdcc7a239577a754829b50022b91ab4712
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jan 27 17:45:56 2016 +1100
|
|
|
|
avoid FreeBSD RCS Id in comment
|
|
|
|
Change old $FreeBSD version string in comment so it doesn't
|
|
become an RCS ident downstream; requested by des AT des.no
|
|
|
|
commit 696d12683c90d20a0a9c5f4275fc916b7011fb04
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Feb 4 23:43:48 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
printf argument casts to avoid warnings on strict
|
|
compilers
|
|
|
|
Upstream-ID: 7b9f6712cef01865ad29070262d366cf13587c9c
|
|
|
|
commit 5658ef2501e785fbbdf5de2dc33b1ff7a4dca73a
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Mon Feb 1 21:18:17 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Avoid ugly "DISPLAY "(null)" invalid; disabling X11
|
|
forwarding" message when DISPLAY is not set. This could also result in a
|
|
crash on systems with a printf that doesn't handle NULL. OK djm@
|
|
|
|
Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412
|
|
|
|
commit 537f88ec7bcf40bd444ac5584c707c5588c55c43
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Jan 29 05:18:15 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Add regression test for RekeyLimit parsing of >32bit values
|
|
(4G and 8G).
|
|
|
|
Upstream-Regress-ID: 548390350c62747b6234f522a99c319eee401328
|
|
|
|
commit 4c6cb8330460f94e6c7ae28a364236d4188156a3
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Jan 29 23:04:46 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Remove leftover roaming dead code. ok djm markus.
|
|
|
|
Upstream-ID: 13d1f9c8b65a5109756bcfd3b74df949d53615be
|
|
|
|
commit 28136471809806d6246ef41e4341467a39fe2f91
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 29 05:46:01 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
include packet type of non-data packets in debug3 output;
|
|
ok markus dtucker
|
|
|
|
Upstream-ID: 034eaf639acc96459b9c5ce782db9fcd8bd02d41
|
|
|
|
commit 6fd6e28daccafaa35f02741036abe64534c361a1
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Jan 29 03:31:03 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Revert "account for packets buffered but not yet
|
|
processed" change as it breaks for very small RekeyLimit values due to
|
|
continuous rekeying. ok djm@
|
|
|
|
Upstream-ID: 7e03f636cb45ab60db18850236ccf19079182a19
|
|
|
|
commit 921ff00b0ac429666fb361d2d6cb1c8fff0006cb
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Jan 29 02:54:45 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Allow RekeyLimits in excess of 4G up to 2**63 bits
|
|
(limited by the return type of scan_scaled). Part of bz#2521, ok djm.
|
|
|
|
Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
|
|
|
|
commit c0060a65296f01d4634f274eee184c0e93ba0f23
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Jan 29 02:42:46 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Account for packets buffered but not yet processed when
|
|
computing whether or not it is time to perform rekeying. bz#2521, based
|
|
loosely on a patch from olo at fb.com, ok djm@
|
|
|
|
Upstream-ID: 67e268b547f990ed220f3cb70a5624d9bda12b8c
|
|
|
|
commit 44cf930e670488c85c9efeb373fa5f4b455692ac
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 27 06:44:58 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
change old $FreeBSD version string in comment so it doesn't
|
|
become an RCS ident downstream; requested by des AT des.no
|
|
|
|
Upstream-ID: 8ca558c01f184e596b45e4fc8885534b2c864722
|
|
|
|
commit ebacd377769ac07d1bf3c75169644336056b7060
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 27 00:53:12 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
make the debug messages a bit more useful here
|
|
|
|
Upstream-ID: 478ccd4e897e0af8486b294aa63aa3f90ab78d64
|
|
|
|
commit 458abc2934e82034c5c281336d8dc0f910aecad3
|
|
Author: jsg@openbsd.org <jsg@openbsd.org>
|
|
Date: Sat Jan 23 05:31:35 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Zero a stack buffer with explicit_bzero() instead of
|
|
memset() when returning from client_loop() for consistency with
|
|
buffer_free()/sshbuf_free().
|
|
|
|
ok dtucker@ deraadt@ djm@
|
|
|
|
Upstream-ID: bc9975b2095339811c3b954694d7d15ea5c58f66
|
|
|
|
commit 65a3c0dacbc7dbb75ddb6a70ebe22d8de084d0b0
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Jan 20 09:22:39 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Include sys/time.h for gettimeofday. From sortie at
|
|
maxsi.org.
|
|
|
|
Upstream-ID: 6ed0c33b836d9de0a664cd091e86523ecaa2fb3b
|
|
|
|
commit fc77ccdc2ce6d5d06628b8da5048a6a5f6ffca5a
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Thu Jan 14 22:56:56 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
fd leaks; report Qualys Security Advisory team; ok
|
|
deraadt@
|
|
|
|
Upstream-ID: 4ec0f12b9d8fa202293c9effa115464185aa071d
|
|
|
|
commit a306863831c57ec5fad918687cc5d289ee8e2635
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Thu Jan 14 16:17:39 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
remove roaming support; ok djm@
|
|
|
|
Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
|
|
|
|
commit 6ef49e83e30688504552ac10875feabd5521565f
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Thu Jan 14 14:34:34 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
Disable experimental client-side roaming support. Server
|
|
side was disabled/gutted for years already, but this aspect was surprisingly
|
|
forgotten. Thanks for report from Qualys
|
|
|
|
Upstream-ID: 2328004b58f431a554d4c1bf67f5407eae3389df
|
|
|
|
commit 8d7b523b96d3be180572d9d338cedaafc0570f60
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 14 11:08:19 2016 +1100
|
|
|
|
bump version numbers
|
|
|
|
commit 8c3d512a1fac8b9c83b4d0c9c3f2376290bd84ca
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 14 11:04:04 2016 +1100
|
|
|
|
openssh-7.1p2
|
|
|
|
commit e6c85f8889c5c9eb04796fdb76d2807636b9eef5
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jan 15 01:30:36 2016 +1100
|
|
|
|
forcibly disable roaming support in the client
|
|
|
|
commit ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 13 23:04:47 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
eliminate fallback from untrusted X11 forwarding to trusted
|
|
forwarding when the X server disables the SECURITY extension; Reported by
|
|
Thomas Hoger; ok deraadt@
|
|
|
|
Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
|
|
|
|
commit 9a728cc918fad67c8a9a71201088b1e150340ba4
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 12 23:42:54 2016 +0000
|
|
|
|
upstream commit
|
|
|
|
use explicit_bzero() more liberally in the buffer code; ok
|
|
deraadt
|
|
|
|
Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf
|
|
|
|
commit 4626cbaf78767fc8e9c86dd04785386c59ae0839
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jan 8 14:24:56 2016 +1100
|
|
|
|
Support Illumos/Solaris fine-grained privileges
|
|
|
|
Includes a pre-auth privsep sandbox and several pledge()
|
|
emulations. bz#2511, patch by Alex Wilson.
|
|
|
|
ok dtucker@
|
|
|
|
commit 422d1b3ee977ff4c724b597fb2e437d38fc8de9d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Dec 31 00:33:52 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix three bugs in KRL code related to (unused) signature
|
|
support: verification length was being incorrectly calculated, multiple
|
|
signatures were being incorrectly processed and a NULL dereference that
|
|
occurred when signatures were verified. Reported by Carl Jackson
|
|
|
|
Upstream-ID: e705e97ad3ccce84291eaa651708dd1b9692576b
|
|
|
|
commit 6074c84bf95d00f29cc7d5d3cd3798737851aa1a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Dec 30 23:46:14 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unused prototype
|
|
|
|
Upstream-ID: f3eef4389d53ed6c0d5c77dcdcca3060c745da97
|
|
|
|
commit 6213f0e180e54122bb1ba928e11c784e2b4e5380
|
|
Author: guenther@openbsd.org <guenther@openbsd.org>
|
|
Date: Sat Dec 26 20:51:35 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Use pread/pwrite instead separate lseek+read/write for
|
|
lastlog. Cast to off_t before multiplication to avoid truncation on ILP32
|
|
|
|
ok kettenis@ mmcc@
|
|
|
|
Upstream-ID: fc40092568cd195719ddf1a00aa0742340d616cf
|
|
|
|
commit d7d2bc95045a43dd56ea696cc1d030ac9d77e81f
|
|
Author: semarie@openbsd.org <semarie@openbsd.org>
|
|
Date: Sat Dec 26 07:46:03 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adjust pledge promises for ControlMaster: when using
|
|
"ask" or "autoask", the process will use ssh-askpass for asking confirmation.
|
|
|
|
problem found by halex@
|
|
|
|
ok halex@
|
|
|
|
Upstream-ID: 38a58b30ae3eef85051c74d3c247216ec0735f80
|
|
|
|
commit 271df8185d9689b3fb0523f58514481b858f6843
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Dec 13 22:42:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unbreak connections with peers that set
|
|
first_kex_follows; fix from Matt Johnston va bz#2515
|
|
|
|
Upstream-ID: decc88ec4fc7515594fdb42b04aa03189a44184b
|
|
|
|
commit 43849a47c5f8687699eafbcb5604f6b9c395179f
|
|
Author: doug@openbsd.org <doug@openbsd.org>
|
|
Date: Fri Dec 11 17:41:37 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add "id" to ssh-agent pledge for subprocess support.
|
|
|
|
Found the hard way by Jan Johansson when using ssh-agent with X. Also,
|
|
rearranged proc/exec and retval to match other pledge calls in the tree.
|
|
|
|
ok djm@
|
|
|
|
Upstream-ID: 914255f6850e5e7fa830a2de6c38605333b584db
|
|
|
|
commit 52d7078421844b2f88329f5be3de370b0a938636
|
|
Author: mmcc@openbsd.org <mmcc@openbsd.org>
|
|
Date: Fri Dec 11 04:21:11 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Remove NULL-checks before sshbuf_free().
|
|
|
|
ok djm@
|
|
|
|
Upstream-ID: 5ebed00ed5f9f03b119a345085e8774565466917
|
|
|
|
commit a4b9e0f4e4a6980a0eb8072f76ea611cab5b77e7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Dec 11 03:24:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
include remote port number in a few more messages; makes
|
|
tying log messages together into a session a bit easier; bz#2503 ok dtucker@
|
|
|
|
Upstream-ID: 9300dc354015f7a7368d94a8ff4a4266a69d237e
|
|
|
|
commit 6091c362e89079397e68744ae30df121b0a72c07
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Dec 11 03:20:09 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't try to load SSHv1 private key when compiled without
|
|
SSHv1 support. From Iain Morgan bz#2505
|
|
|
|
Upstream-ID: 8b8e7b02a448cf5e5635979df2d83028f58868a7
|
|
|
|
commit cce6a36bb95e81fa8bfb46daf22eabcf13afc352
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Dec 11 03:19:09 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
use SSH_MAX_PUBKEY_BYTES consistently as buffer size when
|
|
reading key files. Increase it to match the size of the buffers already being
|
|
used.
|
|
|
|
Upstream-ID: 1b60586b484b55a947d99a0b32bd25e0ced56fae
|
|
|
|
commit 89540b6de025b80404a0cb8418c06377f3f98848
|
|
Author: mmcc@openbsd.org <mmcc@openbsd.org>
|
|
Date: Fri Dec 11 02:31:47 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Remove NULL-checks before sshkey_free().
|
|
|
|
ok djm@
|
|
|
|
Upstream-ID: 3e35afe8a25e021216696b5d6cde7f5d2e5e3f52
|
|
|
|
commit 79394ed6d74572c2d2643d73937dad33727fc240
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Dec 11 02:29:03 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fflush stdout so that output is seen even when running in
|
|
debug mode when output may otherwise not be flushed. Patch from dustin at
|
|
null-ptr.net.
|
|
|
|
Upstream-ID: b0c6b4cd2cdb01d7e9eefbffdc522e35b5bc4acc
|
|
|
|
commit ee607cccb6636eb543282ba90e0677b0604d8b7a
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Dec 15 15:23:49 2015 +1100
|
|
|
|
Increase robustness of redhat/openssh.spec
|
|
|
|
- remove configure --with-rsh, because this option isn't supported anymore
|
|
- replace last occurrence of BuildPreReq by BuildRequires
|
|
- update grep statement to query the krb5 include directory
|
|
|
|
Patch from CarstenGrohmann via github, ok djm.
|
|
|
|
commit b5fa0cd73555b991a543145603658d7088ec6b60
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Dec 15 15:10:32 2015 +1100
|
|
|
|
Allow --without-ssl-engine with --without-openssl
|
|
|
|
Patch from Mike Frysinger via github.
|
|
|
|
commit c1d7e546f6029024f3257cc25c92f2bddf163125
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Dec 15 14:27:09 2015 +1100
|
|
|
|
Include openssl crypto.h for SSLeay.
|
|
|
|
Patch from doughdemon via github.
|
|
|
|
commit c6f5f01651526e88c00d988ce59d71f481ebac62
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Dec 15 13:59:12 2015 +1100
|
|
|
|
Add sys/time.h for gettimeofday.
|
|
|
|
Should allow it it compile with MUSL libc. Based on patch from
|
|
doughdemon via github.
|
|
|
|
commit 39736be06c7498ef57d6970f2d85cf066ae57c82
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Dec 11 02:20:28 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
correct error messages; from Tomas Kuthan bz#2507
|
|
|
|
Upstream-ID: 7454a0affeab772398052954c79300aa82077093
|
|
|
|
commit 94141b7ade24afceeb6762a3f99e09e47a6c42b6
|
|
Author: mmcc@openbsd.org <mmcc@openbsd.org>
|
|
Date: Fri Dec 11 00:20:04 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Pass (char *)NULL rather than (char *)0 to execl and
|
|
execlp.
|
|
|
|
ok dtucker@
|
|
|
|
Upstream-ID: 56c955106cbddba86c3dd9bbf786ac0d1b361492
|
|
|
|
commit d59ce08811bf94111c2f442184cf7d1257ffae24
|
|
Author: mmcc@openbsd.org <mmcc@openbsd.org>
|
|
Date: Thu Dec 10 17:08:40 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Remove NULL-checks before free().
|
|
|
|
ok dtucker@
|
|
|
|
Upstream-ID: e3d3cb1ce900179906af36517b5eea0fb15e6ef8
|
|
|
|
commit 8e56dd46cb37879c73bce2d6032cf5e7f82d5a71
|
|
Author: mmcc@openbsd.org <mmcc@openbsd.org>
|
|
Date: Thu Dec 10 07:01:35 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix a couple "the the" typos. ok dtucker@
|
|
|
|
Upstream-ID: ec364c5af32031f013001fd28d1bd3dfacfe9a72
|
|
|
|
commit 6262a0522ddc2c0f2e9358dcb68d59b46e9c533e
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Dec 7 20:04:09 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
stricter encoding type checks for ssh-rsa; ok djm@
|
|
|
|
Upstream-ID: 8cca7c787599a5e8391e184d0b4f36fdc3665650
|
|
|
|
commit d86a3ba7af160c13496102aed861ae48a4297072
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Dec 9 09:18:45 2015 +1100
|
|
|
|
Don't set IPV6_V6ONLY on OpenBSD
|
|
|
|
It isn't necessary and runs afoul of pledge(2) restrictions.
|
|
|
|
commit da98c11d03d819a15429d8fff9688acd7505439f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 7 02:20:46 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
basic unit tests for rsa-sha2-* signature types
|
|
|
|
Upstream-Regress-ID: 7dc4b9db809d578ff104d591b4d86560c3598d3c
|
|
|
|
commit 3da893fdec9936dd2c23739cdb3c0c9d4c59fca0
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Sat Dec 5 20:53:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed
|
|
by naddy@
|
|
|
|
Upstream-ID: 685f55f7ec566a8caca587750672723a0faf3ffe
|
|
|
|
commit 8b56e59714d87181505e4678f0d6d39955caf10e
|
|
Author: tobias@openbsd.org <tobias@openbsd.org>
|
|
Date: Fri Dec 4 21:51:06 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Properly handle invalid %-format by calling fatal.
|
|
|
|
ok deraadt, djm
|
|
|
|
Upstream-ID: 5692bce7d9f6eaa9c488cb93d3b55e758bef1eac
|
|
|
|
commit 76c9fbbe35aabc1db977fb78e827644345e9442e
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Fri Dec 4 16:41:28 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
|
|
(user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
|
|
draft-ssh-ext-info-04.txt; with & ok djm@
|
|
|
|
Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
|
|
|
|
commit 6064a8b8295cb5a17b5ebcfade53053377714f40
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Dec 4 00:24:55 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
clean up agent_fd handling; properly initialise it to -1
|
|
and make tests consistent
|
|
|
|
ok markus@
|
|
|
|
Upstream-ID: ac9554323d5065745caf17b5e37cb0f0d4825707
|
|
|
|
commit b91926a97620f3e51761c271ba57aa5db790f48d
|
|
Author: semarie@openbsd.org <semarie@openbsd.org>
|
|
Date: Thu Dec 3 17:00:18 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
pledges ssh client: - mux client: which is used when
|
|
ControlMaster is in use. will end with "stdio proc tty" (proc is to
|
|
permit sending SIGWINCH to mux master on window resize)
|
|
|
|
- client loop: several levels of pledging depending of your used options
|
|
|
|
ok deraadt@
|
|
|
|
Upstream-ID: 21676155a700e51f2ce911e33538e92a2cd1d94b
|
|
|
|
commit bcce47466bbc974636f588b5e4a9a18ae386f64a
|
|
Author: doug@openbsd.org <doug@openbsd.org>
|
|
Date: Wed Dec 2 08:30:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add "cpath" to the ssh-agent pledge so the cleanup
|
|
handler can unlink().
|
|
|
|
ok djm@
|
|
|
|
Upstream-ID: 9e632991d48241d56db645602d381253a3d8c29d
|
|
|
|
commit a90d001543f46716b6590c6dcc681d5f5322f8cf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Dec 2 08:00:58 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
ssh-agent pledge needs proc for askpass; spotted by todd@
|
|
|
|
Upstream-ID: 349aa261b29cc0e7de47ef56167769c432630b2a
|
|
|
|
commit d952162b3c158a8f23220587bb6c8fcda75da551
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Dec 1 23:29:24 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
basic pledge() for ssh-agent, more refinement needed
|
|
|
|
Upstream-ID: 5b5b03c88162fce549e45e1b6dd833f20bbb5e13
|
|
|
|
commit f0191d7c8e76e30551084b79341886d9bb38e453
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Nov 30 10:53:25 2015 +1100
|
|
|
|
Revert "stub for pledge(2) for systems that lack it"
|
|
|
|
This reverts commit 14c887c8393adde2d9fd437d498be30f8c98535c.
|
|
|
|
dtucker beat me to it :/
|
|
|
|
commit 6283cc72eb0e49a3470d30e07ca99a1ba9e89676
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Nov 30 10:37:03 2015 +1100
|
|
|
|
revert 7d4c7513: bring back S/Key prototypes
|
|
|
|
(but leave RCSID changes)
|
|
|
|
commit 14c887c8393adde2d9fd437d498be30f8c98535c
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Nov 30 09:45:29 2015 +1100
|
|
|
|
stub for pledge(2) for systems that lack it
|
|
|
|
commit 452c0b6af5d14c37553e30059bf74456012493f3
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Nov 29 22:18:37 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
pledge, better fatal() messages; feedback deraadt@
|
|
|
|
Upstream-ID: 3e00f6ccfe2b9a7a2d1dbba5409586180801488f
|
|
|
|
commit 6da413c085dba37127687b2617a415602505729b
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Sat Nov 28 06:50:52 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
do not leak temp file if there is no known_hosts file
|
|
from craig leres, ok djm
|
|
|
|
Upstream-ID: c820497fd5574844c782e79405c55860f170e426
|
|
|
|
commit 3ddd15e1b63a4d4f06c8ab16fbdd8a5a61764f16
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Nov 30 07:23:53 2015 +1100
|
|
|
|
Add a null implementation of pledge.
|
|
|
|
Fixes builds on almost everything.
|
|
|
|
commit b1d6b3971ef256a08692efc409fc9ada719111cc
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Nov 28 06:41:03 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't include port number in tcpip-forward replies for
|
|
requests that don't allocate a port; bz#2509 diagnosed by Ron Frederick ok
|
|
markus
|
|
|
|
Upstream-ID: 77efad818addb61ec638b5a2362f1554e21a970a
|
|
|
|
commit 9080bd0b9cf10d0f13b1f642f20cb84285cb8d65
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Fri Nov 27 00:49:31 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
pledge "stdio rpath wpath cpath fattr tty proc exec"
|
|
except for the -p option (which sadly has insane semantics...) ok semarie
|
|
dtucker
|
|
|
|
Upstream-ID: 8854bbd58279abe00f6c33f8094bdc02c8c65059
|
|
|
|
commit 4d90625b229cf6b3551d81550a9861897509a65f
|
|
Author: halex@openbsd.org <halex@openbsd.org>
|
|
Date: Fri Nov 20 23:04:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
allow comment change for all supported formats
|
|
|
|
ok djm@
|
|
|
|
Upstream-ID: 5fc477cf2f119b2d44aa9c683af16cb00bb3744b
|
|
|
|
commit 8ca915fc761519dd1f7766a550ec597a81db5646
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Nov 20 01:45:29 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add cast to make -Werror clean
|
|
|
|
Upstream-ID: 288db4f8f810bd475be01320c198250a04ff064d
|
|
|
|
commit ac9473580dcd401f8281305af98635cdaae9bf96
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Nov 20 12:35:41 2015 +1100
|
|
|
|
fix multiple authentication using S/Key w/ privsep
|
|
|
|
bz#2502, patch from Kevin Korb and feandil_
|
|
|
|
commit 88b6fcdeb87a2fb76767854d9eb15006662dca57
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Nov 19 08:23:27 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
ban ConnectionAttempts=0, it makes no sense and would cause
|
|
ssh_connect_direct() to print an uninitialised stack variable; bz#2500
|
|
reported by dvw AT phas.ubc.ca
|
|
|
|
Upstream-ID: 32b5134c608270583a90b93a07b3feb3cbd5f7d5
|
|
|
|
commit 964ab3ee7a8f96bdbc963d5b5a91933d6045ebe7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Nov 19 01:12:32 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
trailing whitespace
|
|
|
|
Upstream-ID: 31fe0ad7c4d08e87f1d69c79372f5e3c5cd79051
|
|
|
|
commit f96516d052dbe38561f6b92b0e4365d8e24bb686
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Nov 19 01:09:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
print host certificate contents at debug level
|
|
|
|
Upstream-ID: 39354cdd8a2b32b308fd03f98645f877f540f00d
|
|
|
|
commit 499cf36fecd6040e30e2912dd25655bc574739a7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Nov 19 01:08:55 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
move the certificate validity formatting code to
|
|
sshkey.[ch]
|
|
|
|
Upstream-ID: f05f7c78fab20d02ff1d5ceeda533ef52e8fe523
|
|
|
|
commit bcb7bc77bbb1535d1008c7714085556f3065d99d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Nov 18 08:37:28 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix "ssh-keygen -l" of private key, broken in support for
|
|
multiple plain keys on stdin
|
|
|
|
Upstream-ID: 6b3132d2c62d03d0bad6f2bcd7e2d8b7dab5cd9d
|
|
|
|
commit 259adb6179e23195c8f6913635ea71040d1ccd63
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Mon Nov 16 23:47:52 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Replace remaining calls to index(3) with strchr(3). OK
|
|
jca@ krw@
|
|
|
|
Upstream-ID: 33837d767a0cf1db1489b96055f9e330bc0bab6d
|
|
|
|
commit c56a255162c2166884539c0a1f7511575325b477
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Nov 16 22:53:07 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Allow fingerprinting from standard input "ssh-keygen -lf
|
|
-"
|
|
|
|
Support fingerprinting multiple plain keys in a file and authorized_keys
|
|
files too (bz#1319)
|
|
|
|
ok markus@
|
|
|
|
Upstream-ID: 903f8b4502929d6ccf53509e4e07eae084574b77
|
|
|
|
commit 5b4010d9b923cf1b46c9c7b1887c013c2967e204
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Nov 16 22:51:05 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
always call privsep_preauth_child() regardless of whether
|
|
sshd was started by root; it does important priming before sandboxing and
|
|
failing to call it could result in sandbox violations later; ok markus@
|
|
|
|
Upstream-ID: c8a6d0d56c42f3faab38460dc917ca0d1705d383
|
|
|
|
commit 3a9f84b58b0534bbb485f1eeab75665e2d03371f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Nov 16 22:50:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
improve sshkey_read() semantics; only update *cpp when a
|
|
key is successfully read; ok markus@
|
|
|
|
Upstream-ID: f371e78e8f4fab366cf69a42bdecedaed5d1b089
|
|
|
|
commit db6f8dc5dd5655b59368efd074994d4568bc3556
|
|
Author: logan@openbsd.org <logan@openbsd.org>
|
|
Date: Mon Nov 16 06:13:04 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
1) Use xcalloc() instead of xmalloc() to check for
|
|
potential overflow. (Feedback from both mmcc@ and djm@) 2) move set_size
|
|
just before the for loop. (suggested by djm@)
|
|
|
|
OK djm@
|
|
|
|
Upstream-ID: 013534c308187284756c3141f11d2c0f33c47213
|
|
|
|
commit 383f10fb84a0fee3c01f9d97594f3e22aa3cd5e0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Nov 16 00:30:02 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add a new authorized_keys option "restrict" that
|
|
includes all current and future key restrictions (no-*-forwarding, etc). Also
|
|
add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty".
|
|
This simplifies the task of setting up restricted keys and ensures they are
|
|
maximally-restricted, regardless of any permissions we might implement in the
|
|
future.
|
|
|
|
Example:
|
|
|
|
restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1...
|
|
|
|
Idea from Jann Horn; ok markus@
|
|
|
|
Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0
|
|
|
|
commit e41a071f7bda6af1fb3f081bed0151235fa61f15
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Sun Nov 15 23:58:04 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
correct section number for ssh-agent;
|
|
|
|
Upstream-ID: 44be72fd8bcc167635c49b357b1beea8d5674bd6
|
|
|
|
commit 1a11670286acddcc19f5eff0966c380831fc4638
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Sun Nov 15 23:54:15 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
do not confuse mandoc by presenting "Dd";
|
|
|
|
Upstream-ID: 1470fce171c47b60bbc7ecd0fc717a442c2cfe65
|
|
|
|
commit f361df474c49a097bfcf16d1b7b5c36fcd844b4b
|
|
Author: jcs@openbsd.org <jcs@openbsd.org>
|
|
Date: Sun Nov 15 22:26:49 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add an AddKeysToAgent client option which can be set to
|
|
'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a
|
|
private key that is used during authentication will be added to ssh-agent if
|
|
it is running (with confirmation enabled if set to 'confirm').
|
|
|
|
Initial version from Joachim Schipper many years ago.
|
|
|
|
ok markus@
|
|
|
|
Upstream-ID: a680db2248e8064ec55f8be72d539458c987d5f4
|
|
|
|
commit d87063d9baf5479b6e813d47dfb694a97df6f6f5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Nov 13 04:39:35 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
send SSH2_MSG_UNIMPLEMENTED replies to unexpected
|
|
messages during KEX; bz#2949, ok dtucker@
|
|
|
|
Upstream-ID: 2b3abdff344d53c8d505f45c83a7b12e84935786
|
|
|
|
commit 9fd04681a1e9b0af21e08ff82eb674cf0a499bfc
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Nov 13 04:38:06 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Support "none" as an argument for sshd_config
|
|
ForceCommand and ChrootDirectory. Useful inside Match blocks to override a
|
|
global default. bz#2486 ok dtucker@
|
|
|
|
Upstream-ID: 7ef478d6592bc7db5c7376fc33b4443e63dccfa5
|
|
|
|
commit 94bc0b72c29e511cbbc5772190d43282e5acfdfe
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Nov 13 04:34:15 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
support multiple certificates (one per line) and
|
|
reading from standard input (using "-f -") for "ssh-keygen -L"; ok dtucker@
|
|
|
|
Upstream-ID: ecbadeeef3926e5be6281689b7250a32a80e88db
|
|
|
|
commit b6b9108f5b561c83612cb97ece4134eb59fde071
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Nov 13 02:57:46 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
list a couple more options usable in Match blocks;
|
|
bz#2489
|
|
|
|
Upstream-ID: e4d03f39d254db4c0cc54101921bb89fbda19879
|
|
|
|
commit a7994b3f5a5a5a33b52b0a6065d08e888f0a99fb
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Nov 11 04:56:39 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
improve PEEK/POKE macros: better casts, don't multiply
|
|
evaluate arguments; ok deraadt@
|
|
|
|
Upstream-ID: 9a1889e19647615ededbbabab89064843ba92d3e
|
|
|
|
commit 7d4c7513a7f209cb303a608ac6e46b3f1dfc11ec
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Nov 11 01:48:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
remove prototypes for long-gone s/key support; ok
|
|
dtucker@
|
|
|
|
Upstream-ID: db5bed3c57118af986490ab23d399df807359a79
|
|
|
|
commit 07889c75926c040b8e095949c724e66af26441cb
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Nov 14 18:44:49 2015 +1100
|
|
|
|
read back from libcrypto RAND when privdropping
|
|
|
|
makes certain libcrypto implementations cache a /dev/urandom fd
|
|
in preparation of sandboxing. Based on patch by Greg Hartman.
|
|
|
|
commit 1560596f44c01bb0cef977816410950ed17b8ecd
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Nov 10 11:14:47 2015 +1100
|
|
|
|
Fix compiler warnings in the openssl header check.
|
|
|
|
Noted by Austin English.
|
|
|
|
commit e72a8575ffe1d8adff42c9abe9ca36938acc036b
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Sun Nov 8 23:24:03 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
-c before -H, in SYNOPSIS and usage();
|
|
|
|
Upstream-ID: 25e8c58a69e1f37fcd54ac2cd1699370acb5e404
|
|
|
|
commit 3a424cdd21db08c7b0ded902f97b8f02af5aa485
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Nov 8 22:30:20 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add "ssh-keyscan -c ..." flag to allow fetching
|
|
certificates instead of plain keys; ok markus@
|
|
|
|
Upstream-ID: 0947e2177dba92339eced9e49d3c5bf7dda69f82
|
|
|
|
commit 69fead5d7cdaa73bdece9fcba80f8e8e70b90346
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Sun Nov 8 22:08:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
remove slogin links; ok deraadt markus djm
|
|
|
|
Upstream-ID: 39ba08548acde4c54f2d4520c202c2a863a3c730
|
|
|
|
commit 2fecfd486bdba9f51b3a789277bb0733ca36e1c0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Nov 8 21:59:11 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix OOB read in packet code caused by missing return
|
|
statement found by Ben Hawkes; ok markus@ deraadt@
|
|
|
|
Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
|
|
|
|
commit 5e288923a303ca672b686908320bc5368ebec6e6
|
|
Author: mmcc@openbsd.org <mmcc@openbsd.org>
|
|
Date: Fri Nov 6 00:31:41 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
1. rlogin and rsh are long gone 2. protocol version isn't
|
|
of core relevance here, and v1 is going away
|
|
|
|
ok markus@, deraadt@
|
|
|
|
Upstream-ID: 8b46bc94cf1ca7c8c1a75b1c958b2bb38d7579c8
|
|
|
|
commit 8b29008bbe97f33381d9b4b93fcfa304168d0286
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Thu Nov 5 09:48:05 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
"commandline" -> "command line", since there are so few
|
|
examples of the former in the pages, so many of the latter, and in some of
|
|
these pages we had multiple spellings;
|
|
|
|
prompted by tj
|
|
|
|
Upstream-ID: 78459d59bff74223f8139d9001ccd56fc4310659
|
|
|
|
commit 996b24cebf20077fbe5db07b3a2c20c2d9db736e
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Oct 29 20:57:34 2015 +1100
|
|
|
|
(re)wrap SYS_sendsyslog in ifdef.
|
|
|
|
Replace ifdef that went missing in commit
|
|
c61b42f2678f21f05653ac2d3d241b48ab5d59ac. Fixes build on older
|
|
OpenBSDs.
|
|
|
|
commit b67e2e76fcf1ae7c802eb27ca927e16c91a513ff
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Oct 29 08:05:17 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regress test for "PubkeyAcceptedKeyTypes +..." inside a
|
|
Match block
|
|
|
|
Upstream-Regress-ID: 246c37ed64a2e5704d4c158ccdca1ff700e10647
|
|
|
|
commit abd9dbc3c0d8c8c7561347cfa22166156e78c077
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon Oct 26 02:50:58 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix typo certopt->certopts in shell variable. This would
|
|
cause the test to hang at a host key prompt if you have an A or CNAME for
|
|
"proxy" in your local domain.
|
|
|
|
Upstream-Regress-ID: 6ea03bcd39443a83c89e2c5606392ceb9585836a
|
|
|
|
commit ed08510d38aef930a061ae30d10f2a9cf233bafa
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Oct 29 08:05:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix "PubkeyAcceptedKeyTypes +..." inside a Match block;
|
|
ok dtucker@
|
|
|
|
Upstream-ID: 853662c4036730b966aab77684390c47b9738c69
|
|
|
|
commit a4aef3ed29071719b2af82fdf1ac3c2514f82bc5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Oct 27 08:54:52 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix execv arguments in a way less likely to cause grief
|
|
for -portable; ok dtucker@
|
|
|
|
Upstream-ID: 5902bf0ea0371f39f1300698dc3b8e4105fc0fc5
|
|
|
|
commit 63d188175accea83305e89fafa011136ff3d96ad
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Oct 27 01:44:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
log certificate serial in verbose() messages to match the
|
|
main auth success/fail message; ok dtucker@
|
|
|
|
Upstream-ID: dfc48b417c320b97c36ff351d303c142f2186288
|
|
|
|
commit 2aaba0cfd560ecfe92aa50c00750e6143842cf1f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Oct 27 00:49:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
avoid de-const warning & shrink; ok dtucker@
|
|
|
|
Upstream-ID: 69a85ef94832378952a22c172009cbf52aaa11db
|
|
|
|
commit 03239c18312b9bab7d1c3b03062c61e8bbc1ca6e
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Sun Oct 25 23:42:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Expand tildes in filenames passed to -i before checking
|
|
whether or not the identity file exists. This means that if the shell
|
|
doesn't do the expansion (eg because the option and filename were given as a
|
|
single argument) then we'll still add the key. bz#2481, ok markus@
|
|
|
|
Upstream-ID: db1757178a14ac519e9a3e1a2dbd21113cb3bfc6
|
|
|
|
commit 97e184e508dd33c37860c732c0eca3fc57698b40
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Sun Oct 25 23:14:03 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Do not prepend "exec" to the shell command run by "Match
|
|
exec" in a config file. It's an unnecessary optimization from repurposed
|
|
ProxyCommand code and prevents some things working with some shells.
|
|
bz#2471, pointed out by res at qoxp.net. ok markus@
|
|
|
|
Upstream-ID: a1ead25ae336bfa15fb58d8c6b5589f85b4c33a3
|
|
|
|
commit 8db134e7f457bcb069ec72bc4ee722e2af557c69
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Oct 29 10:48:23 2015 +1100
|
|
|
|
Prevent name collisions with system glob (bz#2463)
|
|
|
|
Move glob.h from includes.h to the only caller (sftp) and override the
|
|
names for the symbols. This prevents name collisions with the system glob
|
|
in the case where something other than ssh uses it (eg kerberos). With
|
|
jjelen at redhat.com, ok djm@
|
|
|
|
commit 86c10dbbef6a5800d2431a66cf7f41a954bb62b5
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Oct 23 02:22:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Update expected group sizes to match recent code changes.
|
|
|
|
Upstream-Regress-ID: 0004f0ea93428969fe75bcfff0d521c553977794
|
|
|
|
commit 9ada37d36003a77902e90a3214981e417457cf13
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Oct 24 22:56:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix keyscan output for multiple hosts/addrs on one line
|
|
when host hashing or a non standard port is in use; bz#2479 ok dtucker@
|
|
|
|
Upstream-ID: 5321dabfaeceba343da3c8a8b5754c6f4a0a307b
|
|
|
|
commit 44fc7cd7dcef6c52c6b7e9ff830dfa32879bd319
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Oct 24 22:52:22 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
skip "Could not chdir to home directory" message when
|
|
chrooted
|
|
|
|
patch from Christian Hesse in bz#2485 ok dtucker@
|
|
|
|
Upstream-ID: 86783c1953da426dff5b03b03ce46e699d9e5431
|
|
|
|
commit a820a8618ec44735dabc688fab96fba38ad66bb2
|
|
Author: sthen@openbsd.org <sthen@openbsd.org>
|
|
Date: Sat Oct 24 08:34:09 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Handle the split of tun(4) "link0" into tap(4) in ssh
|
|
tun-forwarding. Adapted from portable (using separate devices for this is the
|
|
normal case in most OS). ok djm@
|
|
|
|
Upstream-ID: 90facf4c59ce73d6741db1bc926e578ef465cd39
|
|
|
|
commit 66d2e229baa9fe57b868c373b05f7ff3bb20055b
|
|
Author: gsoares@openbsd.org <gsoares@openbsd.org>
|
|
Date: Wed Oct 21 11:33:03 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix memory leak in error path ok djm@
|
|
|
|
Upstream-ID: dd2f402b0a0029b755df029fc7f0679e1365ce35
|
|
|
|
commit 7d6c0362039ceacdc1366b5df29ad5d2693c13e5
|
|
Author: mmcc@openbsd.org <mmcc@openbsd.org>
|
|
Date: Tue Oct 20 23:24:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Compare pointers to NULL rather than 0.
|
|
|
|
ok djm@
|
|
|
|
Upstream-ID: 21616cfea27eda65a06e772cc887530b9a1a27f8
|
|
|
|
commit f98a09cacff7baad8748c9aa217afd155a4d493f
|
|
Author: mmcc@openbsd.org <mmcc@openbsd.org>
|
|
Date: Tue Oct 20 03:36:35 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Replace a function-local allocation with stack memory.
|
|
|
|
ok djm@
|
|
|
|
Upstream-ID: c09fbbab637053a2ab9f33ca142b4e20a4c5a17e
|
|
|
|
commit ac908c1eeacccfa85659594d92428659320fd57e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 22 09:35:24 2015 +1100
|
|
|
|
turn off PrintLastLog when --disable-lastlog
|
|
|
|
bz#2278 from Brent Paulson
|
|
|
|
commit b56deb847f4a0115a8bf488bf6ee8524658162fd
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Oct 16 22:32:22 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
increase the minimum modulus that we will send or accept in
|
|
diffie-hellman-group-exchange to 2048 bits; ok markus@
|
|
|
|
Upstream-ID: 06dce7a24c17b999a0f5fadfe95de1ed6a1a9b6a
|
|
|
|
commit 5ee0063f024bf5b3f3ffb275b8cd20055d62b4b9
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Oct 16 18:40:49 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
|
|
hostname canonicalisation - treat them as already canonical and remove the
|
|
trailing '.' before matching ssh_config; ok markus@
|
|
|
|
Upstream-ID: f7619652e074ac3febe8363f19622aa4853b679a
|
|
|
|
commit e92c499a75477ecfe94dd7b4aed89f20b1fac5a7
|
|
Author: mmcc@openbsd.org <mmcc@openbsd.org>
|
|
Date: Fri Oct 16 17:07:24 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
0 -> NULL when comparing with a char*.
|
|
|
|
ok dtucker@, djm@.
|
|
|
|
Upstream-ID: a928e9c21c0a9020727d99738ff64027c1272300
|
|
|
|
commit b1d38a3cc6fe349feb8d16a5f520ef12d1de7cb2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Oct 15 23:51:40 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix some signed/unsigned integer type mismatches in
|
|
format strings; reported by Nicholas Lemonias
|
|
|
|
Upstream-ID: 78cd55420a0eef68c4095bdfddd1af84afe5f95c
|
|
|
|
commit 1a2663a15d356bb188196b6414b4c50dc12fd42b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Oct 15 23:08:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
argument to sshkey_from_private() and sshkey_demote()
|
|
can't be NULL
|
|
|
|
Upstream-ID: 0111245b1641d387977a9b38da15916820a5fd1f
|
|
|
|
commit 0f754e29dd3760fc0b172c1220f18b753fb0957e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Oct 16 10:53:14 2015 +1100
|
|
|
|
need va_copy before va_start
|
|
|
|
reported by Nicholas Lemonias
|
|
|
|
commit eb6c50d82aa1f0d3fc95f5630ea69761e918bfcd
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 15 15:48:28 2015 -0700
|
|
|
|
fix compilation on systems without SYMLOOP_MAX
|
|
|
|
commit fafe1d84a210fb3dae7744f268059cc583db8c12
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 14 09:22:15 2015 -0700
|
|
|
|
s/SANDBOX_TAME/SANDBOX_PLEDGE/g
|
|
|
|
commit 8f22911027ff6c17d7226d232ccd20727f389310
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 14 08:28:19 2015 +1100
|
|
|
|
upstream commit
|
|
|
|
revision 1.20
|
|
date: 2015/10/13 20:55:37; author: millert; state: Exp; lines: +2 -2; commitid: X39sl5ay1czgFIgp;
|
|
In rev 1.15 the sizeof argument was fixed in a strlcat() call but
|
|
the truncation check immediately following it was not updated to
|
|
match. Not an issue in practice since the buffers are the same
|
|
size. OK deraadt@
|
|
|
|
commit 23fa695bb735f54f04d46123662609edb6c76767
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 14 08:27:51 2015 +1100
|
|
|
|
upstream commit
|
|
|
|
revision 1.19
|
|
date: 2015/01/16 16:48:51; author: deraadt; state: Exp; lines: +3 -3; commitid: 0DYulI8hhujBHMcR;
|
|
Move to the <limits.h> universe.
|
|
review by millert, binary checking process with doug, concept with guenther
|
|
|
|
commit c71be375a69af00c2d0a0c24d8752bec12d8fd1b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 14 08:27:08 2015 +1100
|
|
|
|
upstream commit
|
|
|
|
revision 1.18
|
|
date: 2014/10/19 03:56:28; author: doug; state: Exp; lines: +9 -9; commitid: U6QxmtbXrGoc02S5;
|
|
Revert last commit due to changed semantics found by make release.
|
|
|
|
commit c39ad23b06e9aecc3ff788e92f787a08472905b1
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 14 08:26:24 2015 +1100
|
|
|
|
upstream commit
|
|
|
|
revision 1.17
|
|
date: 2014/10/18 20:43:52; author: doug; state: Exp; lines: +10 -10; commitid: I74hI1tVZtsspKEt;
|
|
Better POSIX compliance in realpath(3).
|
|
|
|
millert@ made changes to realpath.c based on FreeBSD's version. I merged
|
|
Todd's changes into dl_realpath.c.
|
|
|
|
ok millert@, guenther@
|
|
|
|
commit e929a43f957dbd1254aca2aaf85c8c00cbfc25f4
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 14 08:25:55 2015 +1100
|
|
|
|
upstream commit
|
|
|
|
revision 1.16
|
|
date: 2013/04/05 12:59:54; author: kurt; state: Exp; lines: +3 -1;
|
|
- Add comments regarding copies of these files also in libexec/ld.so
|
|
okay guenther@
|
|
|
|
commit 5225db68e58a1048cb17f0e36e0d33bc4a8fc410
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 14 08:25:32 2015 +1100
|
|
|
|
upstream commit
|
|
|
|
revision 1.15
|
|
date: 2012/09/13 15:39:05; author: deraadt; state: Exp; lines: +2 -2;
|
|
specify the bounds of the dst to strlcat (both values were static and
|
|
equal, but it is more correct)
|
|
from Michal Mazurek
|
|
|
|
commit 7365fe5b4859de2305e40ea132da3823830fa710
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Oct 14 08:25:09 2015 +1100
|
|
|
|
upstream commit
|
|
|
|
revision 1.14
|
|
date: 2011/07/24 21:03:00; author: miod; state: Exp; lines: +35 -13;
|
|
Recent Single Unix will malloc memory if the second argument of realpath()
|
|
is NULL, and third-party software is starting to rely upon this.
|
|
Adapted from FreeBSD via Jona Joachim (jaj ; hcl-club , .lu), with minor
|
|
tweaks from nicm@ and yours truly.
|
|
|
|
commit e679c09cd1951f963793aa3d9748d1c3fdcf808f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Oct 13 16:15:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
apply PubkeyAcceptedKeyTypes filtering earlier, so all
|
|
skipped keys are noted before pubkey authentication starts. ok dtucker@
|
|
|
|
Upstream-ID: ba4f52f54268a421a2a5f98bb375403f4cb044b8
|
|
|
|
commit 179c353f564ec7ada64b87730b25fb41107babd7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Oct 13 00:21:27 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
free the correct IV length, don't assume it's always the
|
|
cipher blocksize; ok dtucker@
|
|
|
|
Upstream-ID: c260d9e5ec73628d9ff4b067fbb060eff5a7d298
|
|
|
|
commit 2539dce2a049a8f6bb0d44cac51f07ad48e691d3
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Fri Oct 9 01:37:08 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Change all tame callers to namechange to pledge(2).
|
|
|
|
Upstream-ID: 17e654fc27ceaf523c60f4ffd9ec7ae4e7efc7f2
|
|
|
|
commit 9846a2f4067383bb76b4e31a9d2303e0a9c13a73
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Oct 8 04:30:48 2015 +1100
|
|
|
|
hook tame(2) sandbox up to build
|
|
|
|
OpenBSD only for now
|
|
|
|
commit 0c46bbe68b70bdf0d6d20588e5847e71f3739fe6
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Oct 7 15:59:12 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
include PubkeyAcceptedKeyTypes in ssh -G config dump
|
|
|
|
Upstream-ID: 6c097ce6ffebf6fe393fb7988b5d152a5d6b36bb
|
|
|
|
commit bdcb73fb7641b1cf73c0065d1a0dd57b1e8b778e
|
|
Author: sobrado@openbsd.org <sobrado@openbsd.org>
|
|
Date: Wed Oct 7 14:45:30 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
UsePrivilegeSeparation defaults to sandbox now.
|
|
|
|
ok djm@
|
|
|
|
Upstream-ID: bff136c38bcae89df82e044d2f42de21e1ad914f
|
|
|
|
commit 2905d6f99c837bb699b6ebc61711b19acd030709
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Oct 7 00:54:06 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't try to change tun device flags if they are already
|
|
what we need; makes it possible to use tun/tap networking as non- root user
|
|
if device permissions and interface flags are pre-established; based on patch
|
|
by Ossi Herrala
|
|
|
|
Upstream-ID: 89099ac4634cd477b066865acf54cb230780fd21
|
|
|
|
commit 0dc74512bdb105b048883f07de538b37e5e024d4
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Oct 5 18:33:05 2015 -0700
|
|
|
|
unbreak merge botch
|
|
|
|
commit fdd020e86439afa7f537e2429d29d4b744c94331
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Oct 6 01:20:59 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adapt to recent sshkey_parse_private_fileblob() API
|
|
change
|
|
|
|
Upstream-Regress-ID: 5c0d818da511e33e0abf6a92a31bd7163b7ad988
|
|
|
|
commit 21ae8ee3b630b0925f973db647a1b9aa5fcdd4c5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Sep 24 07:15:39 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix command-line option to match what was actually
|
|
committed
|
|
|
|
Upstream-Regress-ID: 3e8c24a2044e8afd37e7ce17b69002ca817ac699
|
|
|
|
commit e14ac43b75e68f1ffbd3e1a5e44143c8ae578dcd
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Sep 24 06:16:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regress test for CertificateFile; patch from Meghana Bhat
|
|
via bz#2436
|
|
|
|
Upstream-Regress-ID: e7a6e980cbe0f8081ba2e83de40d06c17be8bd25
|
|
|
|
commit 905b054ed24e0d5b4ef226ebf2c8bfc02ae6d4ad
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Oct 5 17:11:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
some more bzero->explicit_bzero, from Michael McConville
|
|
|
|
Upstream-ID: 17f19545685c33327db2efdc357c1c9225ff00d0
|
|
|
|
commit b007159a0acdbcf65814b3ee05dbe2cf4ea46011
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Fri Oct 2 15:52:55 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix email
|
|
|
|
Upstream-ID: 72150f2d54b94de14ebef1ea054ef974281bf834
|
|
|
|
commit b19e1b4ab11884c4f62aee9f8ab53127a4732658
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Fri Oct 2 01:39:52 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
a sandbox using tame ok djm
|
|
|
|
Upstream-ID: 4ca24e47895e72f5daaa02f3e3d3e5ca2d820fa3
|
|
|
|
commit c61b42f2678f21f05653ac2d3d241b48ab5d59ac
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Fri Oct 2 01:39:26 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
re-order system calls in order of risk, ok i'll be
|
|
honest, ordered this way they look like tame... ok djm
|
|
|
|
Upstream-ID: 42a1e6d251fd8be13c8262bee026059ae6328813
|
|
|
|
commit c5f7c0843cb6e6074a93c8ac34e49ce33a6f5546
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Fri Sep 25 18:19:54 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
some certificatefile tweaks; ok djm
|
|
|
|
Upstream-ID: 0e5a7852c28c05fc193419cc7e50e64c1c535af0
|
|
|
|
commit 4e44a79a07d4b88b6a4e5e8c1bed5f58c841b1b8
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Sep 24 06:15:11 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add ssh_config CertificateFile option to explicitly list
|
|
a certificate; patch from Meghana Bhat on bz#2436; ok markus@
|
|
|
|
Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
|
|
|
|
commit e3cbb06ade83c72b640a53728d362bbefa0008e2
|
|
Author: sobrado@openbsd.org <sobrado@openbsd.org>
|
|
Date: Tue Sep 22 08:33:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix two typos.
|
|
|
|
Upstream-ID: 424402c0d8863a11b51749bacd7f8d932083b709
|
|
|
|
commit 8408218c1ca88cb17d15278174a24a94a6f65fe1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Sep 21 04:31:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix possible hang on closed output; bz#2469 reported by Tomas
|
|
Kuthan ok markus@
|
|
|
|
Upstream-ID: f7afd41810f8540f524284f1be6b970859f94fe3
|
|
|
|
commit 0097248f90a00865082e8c146b905a6555cc146f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Sep 11 04:55:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
skip if running as root; many systems (inc OpenBSD) allow
|
|
root to ptrace arbitrary processes
|
|
|
|
Upstream-Regress-ID: be2b925df89360dff36f972951fa0fa793769038
|
|
|
|
commit 9c06c814aff925e11a5cc592c06929c258a014f6
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Sep 11 03:44:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
try all supported key types here; bz#2455 reported by
|
|
Jakub Jelen
|
|
|
|
Upstream-Regress-ID: 188cb7d9031cdbac3a0fa58b428b8fa2b2482bba
|
|
|
|
commit 3c019a936b43f3e2773f3edbde7c114d73caaa4c
|
|
Author: tim@openbsd.org <tim@openbsd.org>
|
|
Date: Sun Sep 13 14:39:16 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
- Fix error message: passphrase needs to be at least 5
|
|
characters, not 4. - Remove unused function argument. - Remove two
|
|
unnecessary variables.
|
|
|
|
OK djm@
|
|
|
|
Upstream-ID: 13010c05bfa8b523da1c0dc19e81dd180662bc30
|
|
|
|
commit 2681cdb6e0de7c1af549dac37a9531af202b4434
|
|
Author: tim@openbsd.org <tim@openbsd.org>
|
|
Date: Sun Sep 13 13:48:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
When adding keys to the agent, don't ignore the comment
|
|
of keys for which the user is prompted for a passphrase.
|
|
|
|
Tweak and OK djm@
|
|
|
|
Upstream-ID: dc737c620a5a8d282cc4f66e3b9b624e9abefbec
|
|
|
|
commit 14692f7b8251cdda847e648a82735eef8a4d2a33
|
|
Author: guenther@openbsd.org <guenther@openbsd.org>
|
|
Date: Fri Sep 11 08:50:04 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Use explicit_bzero() when zeroing before free()
|
|
|
|
from Michael McConville (mmcconv1 (at) sccs.swarthmore.edu)
|
|
ok millert@ djm@
|
|
|
|
Upstream-ID: 2e3337db046c3fe70c7369ee31515ac73ec00f50
|
|
|
|
commit 846f6fa4cfa8483a9195971dbdd162220f199d85
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Fri Sep 11 06:55:46 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
sync -Q in usage() to SYNOPSIS; since it's drastically
|
|
shorter, i've reformatted the block to sync with the man (80 cols) and saved
|
|
a line;
|
|
|
|
Upstream-ID: 86e2c65c3989a0777a6258a77e589b9f6f354abd
|
|
|
|
commit 95923e0520a8647417ee6dcdff44694703dfeef0
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Fri Sep 11 06:51:39 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
tweak previous;
|
|
|
|
Upstream-ID: f29b3cfcfd9aa31fa140c393e7bd48c1c74139d6
|
|
|
|
commit 86ac462f833b05d8ed9de9c50ccb295d7faa79ff
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Sep 11 05:27:02 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Update usage to match man page.
|
|
|
|
Upstream-ID: 9e85aefaecfb6aaf34c7cfd0700cd21783a35675
|
|
|
|
commit 674b3b68c1d36b2562324927cd03857b565e05e8
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Sep 11 03:47:28 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
expand %i in ControlPath to UID; bz#2449
|
|
|
|
patch from Christian Hesse w/ feedback from dtucker@
|
|
|
|
Upstream-ID: 2ba8d303e555a84e2f2165ab4b324b41e80ab925
|
|
|
|
commit c0f55db7ee00c8202b05cb4b9ad4ce72cc45df41
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Sep 11 03:42:32 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
mention -Q key-plain and -Q key-cert; bz#2455 pointed out
|
|
by Jakub Jelen
|
|
|
|
Upstream-ID: c8f1f8169332e4fa73ac96b0043e3b84e01d4896
|
|
|
|
commit cfffbdb10fdf0f02d3f4232232eef7ec3876c383
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Sep 14 16:24:21 2015 +1000
|
|
|
|
Use ssh-keygen -A when generating host keys.
|
|
|
|
Use ssh-keygen -A instead of per-keytype invocations when generating host
|
|
keys. Add tests when doing host-key-force since we can't use ssh-keygen -A
|
|
since it can't specify alternate locations. bz#2459, ok djm@
|
|
|
|
commit 366bada1e9e124654aac55b72b6ccf878755b0dc
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Sep 11 13:29:22 2015 +1000
|
|
|
|
Correct default value for --with-ssh1.
|
|
|
|
bz#2457, from konto-mindrot.org at walimnieto.com.
|
|
|
|
commit 2bca8a43e7dd9b04d7070824ffebb823c72587b2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Sep 11 03:13:36 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
more clarity on what AuthorizedKeysFile=none does; based
|
|
on diff by Thiebaud Weksteen
|
|
|
|
Upstream-ID: 78ab87f069080f0cc3bc353bb04eddd9e8ad3704
|
|
|
|
commit 61942ea4a01e6db4fdf37ad61de81312ffe310e9
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Sep 9 00:52:44 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
openssh_RSA_verify return type is int, so don't make it
|
|
size_t within the function itself with only negative numbers or zero assigned
|
|
to it. bz#2460
|
|
|
|
Upstream-ID: b6e794b0c7fc4f9f329509263c8668d35f83ea55
|
|
|
|
commit 4f7cc2f8cc861a21e6dbd7f6c25652afb38b9b96
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Sep 4 08:21:47 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Plug minor memory leaks when options are used more than
|
|
once. bz#2182, patch from Tiago Cunha, ok deraadt djm
|
|
|
|
Upstream-ID: 5b84d0401e27fe1614c10997010cc55933adb48e
|
|
|
|
commit 7ad8b287c8453a3e61dbc0d34d467632b8b06fc8
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Sep 11 13:11:02 2015 +1000
|
|
|
|
Force resolution of _res for correct detection.
|
|
|
|
bz#2259, from sconeu at yahoo.com.
|
|
|
|
commit 26ad18247213ff72b4438abe7fc660c958810fa2
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Sep 10 10:57:41 2015 +1000
|
|
|
|
allow getrandom syscall; from Felix von Leitner
|
|
|
|
commit 5245bc1e6b129a10a928f73f11c3aa32656c44b4
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Fri Sep 4 06:40:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
full stop belongs outside the brackets, not inside;
|
|
|
|
Upstream-ID: 99d098287767799ac33d2442a05b5053fa5a551a
|
|
|
|
commit a85768a9321d74b41219eeb3c9be9f1702cbf6a5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Sep 4 04:56:09 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add a debug2() right before DNS resolution; it's a place
|
|
where ssh could previously silently hang for a while. bz#2433
|
|
|
|
Upstream-ID: 52a1a3e0748db66518e7598352c427145692a6a0
|
|
|
|
commit 46152af8d27aa34d5d26ed1c371dc8aa142d4730
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Sep 4 04:55:24 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
correct function name in error messages
|
|
|
|
Upstream-ID: 92fb2798617ad9561370897f4ab60adef2ff4c0e
|
|
|
|
commit a954cdb799a4d83c2d40fbf3e7b9f187fbfd72fc
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Sep 4 04:47:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
better document ExitOnForwardFailure; bz#2444, ok
|
|
dtucker@
|
|
|
|
Upstream-ID: a126209b5a6d9cb3117ac7ab5bc63d284538bfc2
|
|
|
|
commit f54d8ac2474b6fc3afa081cf759b48a6c89d3319
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Sep 4 04:44:08 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't record hostbased authentication hostkeys as user
|
|
keys in test for multiple authentication with the same key
|
|
|
|
Upstream-ID: 26b368fa2cff481f47f37e01b8da1ae5b57b1adc
|
|
|
|
commit ac3451dd65f27ecf85dc045c46d49e2bbcb8dddd
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Sep 4 03:57:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
remove extra newline in nethack-mode hostkey; from
|
|
Christian Hesse bz#2686
|
|
|
|
Upstream-ID: 4f56368b1cc47baeea0531912186f66007fd5b92
|
|
|
|
commit 9e3ed9ebb1a7e47c155c28399ddf09b306ea05df
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Sep 4 04:23:10 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
trim junk from end of file; bz#2455 from Jakub Jelen
|
|
|
|
Upstream-Regress-ID: a4e64e8931e40d23874b047074444eff919cdfe6
|
|
|
|
commit f3a3ea180afff080bab82087ee0b60db9fd84f6c
|
|
Author: jsg@openbsd.org <jsg@openbsd.org>
|
|
Date: Wed Sep 2 07:51:12 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix occurrences of "r = func() != 0" which result in the
|
|
wrong error codes being returned due to != having higher precedence than =.
|
|
|
|
ok deraadt@ markus@
|
|
|
|
Upstream-ID: 5fc35c9fc0319cc6fca243632662d2f06b5fd840
|
|
|
|
commit f498a98cf83feeb7ea01c15cd1c98b3111361f3a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Sep 3 09:11:22 2015 +1000
|
|
|
|
don't check for yp_match; ok tim@
|
|
|
|
commit 9690b78b7848b0b376980a61d51b1613e187ddb5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Aug 21 23:57:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Improve printing of KEX offers and decisions
|
|
|
|
The debug output now labels the client and server offers and the
|
|
negotiated options. ok markus@
|
|
|
|
Upstream-ID: 8db921b3f92a4565271b1c1fbce6e7f508e1a2cb
|
|
|
|
commit 60a92470e21340e1a3fc10f9c7140d8e1519dc55
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Aug 21 23:53:08 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix printing (ssh -G ...) of HostKeyAlgorithms=+...
|
|
Reported by Bryan Drewery
|
|
|
|
Upstream-ID: 19ad20c41bd5971e006289b6f9af829dd46c1293
|
|
|
|
commit 6310f60fffca2d1e464168e7d1f7e3b6b0268897
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Aug 21 23:52:30 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix expansion of HostkeyAlgorithms=+...
|
|
|
|
Reported by Bryan Drewery
|
|
|
|
Upstream-ID: 70ca1deea39d758ba36d36428ae832e28566f78d
|
|
|
|
commit e774e5ea56237fd626a8161f9005023dff3e76c9
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Fri Aug 21 23:29:31 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Improve size == 0, count == 0 checking in mm_zalloc,
|
|
which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
|
|
|
Upstream-ID: 899b021be43b913fad3eca1aef44efe710c53e29
|
|
|
|
commit 189de02d9ad6f3645417c0ddf359b923aae5f926
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Aug 21 15:45:02 2015 +1000
|
|
|
|
expose POLLHUP and POLLNVAL for netcat.c
|
|
|
|
commit e91346dc2bbf460246df2ab591b7613908c1b0ad
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Aug 21 14:49:03 2015 +1000
|
|
|
|
we don't use Github for issues/pull-requests
|
|
|
|
commit a4f5b507c708cc3dc2c8dd2d02e4416d7514dc23
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Aug 21 14:43:55 2015 +1000
|
|
|
|
fix URL for connect.c
|
|
|
|
commit d026a8d3da0f8186598442997c7d0a28e7275414
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Aug 21 13:47:10 2015 +1000
|
|
|
|
update version numbers for 7.1
|
|
|
|
commit 78f8f589f0ca1c9f41e5a9bae3cda5ce8a6b42ed
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Aug 21 03:45:26 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
openssh-7.1
|
|
|
|
Upstream-ID: ff7b1ef4b06caddfb45e08ba998128c88be3d73f
|
|
|
|
commit 32a181980c62fce94f7f9ffaf6a79d90f0c309cf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Aug 21 03:42:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix inverted logic that broke PermitRootLogin; reported
|
|
by Mantas Mikulenas; ok markus@
|
|
|
|
Upstream-ID: 260dd6a904c1bb7e43267e394b1c9cf70bdd5ea5
|
|
|
|
commit ce445b0ed927e45bd5bdce8f836eb353998dd65c
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Thu Aug 20 22:32:42 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Do not cast result of malloc/calloc/realloc* if stdlib.h
|
|
is in scope ok krw millert
|
|
|
|
Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667
|
|
|
|
commit 05291e5288704d1a98bacda269eb5a0153599146
|
|
Author: naddy@openbsd.org <naddy@openbsd.org>
|
|
Date: Thu Aug 20 19:20:06 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
In the certificates section, be consistent about using
|
|
"host_key" and "user_key" for the respective key types. ok sthen@ deraadt@
|
|
|
|
Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb
|
|
|
|
commit 8543d4ef6f2e9f98c3e6b77c894ceec30c5e4ae4
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Aug 19 23:21:42 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Better compat matching for WinSCP, add compat matching
|
|
for FuTTY (fork of PuTTY); ok markus@ deraadt@
|
|
|
|
Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389
|
|
|
|
commit ec6eda16ebab771aa3dfc90629b41953b999cb1e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Aug 19 23:19:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix double-free() in error path of DSA key generation
|
|
reported by Mateusz Kocielski; ok markus@
|
|
|
|
Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c
|
|
|
|
commit 45b0eb752c94954a6de046bfaaf129e518ad4b5b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Aug 19 23:18:26 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix free() of uninitialised pointer reported by Mateusz
|
|
Kocielski; ok markus@
|
|
|
|
Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663
|
|
|
|
commit c837643b93509a3ef538cb6624b678c5fe32ff79
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Aug 19 23:17:51 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fixed unlink([uninitialised memory]) reported by Mateusz
|
|
Kocielski; ok markus@
|
|
|
|
Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109
|
|
|
|
commit 1f8d3d629cd553031021068eb9c646a5f1e50994
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Fri Aug 14 15:32:41 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
match myproposal.h order; from brian conway (i snuck in a
|
|
tweak while here)
|
|
|
|
ok dtucker
|
|
|
|
Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67
|
|
|
|
commit 1dc8d93ce69d6565747eb44446ed117187621b26
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Thu Aug 6 14:53:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add prohibit-password as a synonymn for without-password,
|
|
since the without-password is causing too many questions. Harden it to ban
|
|
all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
|
|
djm, ok markus
|
|
|
|
Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
|
|
|
|
commit 90a95a4745a531b62b81ce3b025e892bdc434de5
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 11 13:53:41 2015 +1000
|
|
|
|
update version in README
|
|
|
|
commit 318c37743534b58124f1bab37a8a0087a3a9bd2f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 11 13:53:09 2015 +1000
|
|
|
|
update versions in *.spec
|
|
|
|
commit 5e75f5198769056089fb06c4d738ab0e5abc66f7
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 11 13:34:12 2015 +1000
|
|
|
|
set sshpam_ctxt to NULL after free
|
|
|
|
Avoids use-after-free in monitor when privsep child is compromised.
|
|
Reported by Moritz Jodeit; ok dtucker@
|
|
|
|
commit d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Aug 11 13:33:24 2015 +1000
|
|
|
|
Don't resend username to PAM; it already has it.
|
|
|
|
Pointed out by Moritz Jodeit; ok dtucker@
|
|
|
|
commit 88763a6c893bf3dfe951ba9271bf09715e8d91ca
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Jul 27 12:14:25 2015 +1000
|
|
|
|
Import updated moduli file from OpenBSD.
|
|
|
|
commit 55b263fb7cfeacb81aaf1c2036e0394c881637da
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Aug 10 11:13:44 2015 +1000
|
|
|
|
let principals-command.sh work for noexec /var/run
|
|
|
|
commit 2651e34cd11b1aac3a0fe23b86d8c2ff35c07897
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Aug 6 11:43:42 2015 +1000
|
|
|
|
work around echo -n / sed behaviour in tests
|
|
|
|
commit d85dad81778c1aa8106acd46930b25fdf0d15b2a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Aug 5 05:27:33 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adjust for RSA minimum modulus switch; ok deraadt@
|
|
|
|
Upstream-Regress-ID: 5a72c83431b96224d583c573ca281cd3a3ebfdae
|
|
|
|
commit 57e8e229bad5fe6056b5f1199665f5f7008192c6
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Aug 4 05:23:06 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
backout SSH_RSA_MINIMUM_MODULUS_SIZE increase for this
|
|
release; problems spotted by sthen@ ok deraadt@ markus@
|
|
|
|
Upstream-ID: d0bd60dde9e8c3cd7030007680371894c1499822
|
|
|
|
commit f097d0ea1e0889ca0fa2e53a00214e43ab7fa22a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Aug 2 09:56:42 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
openssh 7.0; ok deraadt@
|
|
|
|
Upstream-ID: c63afdef537f57f28ae84145c5a8e29e9250221f
|
|
|
|
commit 3d5728a0f6874ce4efb16913a12963595070f3a9
|
|
Author: chris@openbsd.org <chris@openbsd.org>
|
|
Date: Fri Jul 31 15:38:09 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Allow PermitRootLogin to be overridden by config
|
|
|
|
ok markus@ deeradt@
|
|
|
|
Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4
|
|
|
|
commit 6f941396b6835ad18018845f515b0c4fe20be21a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jul 30 23:09:15 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix pty permissions; patch from Nikolay Edigaryev; ok
|
|
deraadt
|
|
|
|
Upstream-ID: 40ff076d2878b916fbfd8e4f45dbe5bec019e550
|
|
|
|
commit f4373ed1e8fbc7c8ce3fc4ea97d0ba2e0c1d7ef0
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Thu Jul 30 19:23:02 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
change default: PermitRootLogin without-password matching
|
|
install script changes coming as well ok djm markus
|
|
|
|
Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
|
|
|
|
commit 0c30ba91f87fcda7e975e6ff8a057f624e87ea1c
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jul 30 12:31:39 2015 +1000
|
|
|
|
downgrade OOM adjustment logging: verbose -> debug
|
|
|
|
commit f9eca249d4961f28ae4b09186d7dc91de74b5895
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jul 30 00:01:34 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Allow ssh_config and sshd_config kex parameters options be
|
|
prefixed by a '+' to indicate that the specified items be appended to the
|
|
default rather than replacing it.
|
|
|
|
approach suggested by dtucker@, feedback dlg@, ok markus@
|
|
|
|
Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
|
|
|
|
commit 5cefe769105a2a2e3ca7479d28d9a325d5ef0163
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 29 08:34:54 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix bug in previous; was printing incorrect string for
|
|
failed host key algorithms negotiation
|
|
|
|
Upstream-ID: 22c0dc6bc61930513065d92e11f0753adc4c6e6e
|
|
|
|
commit f319912b0d0e1675b8bb051ed8213792c788bcb2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 29 04:43:06 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
include the peer's offer when logging a failure to
|
|
negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
|
|
|
|
Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796
|
|
|
|
commit b6ea0e573042eb85d84defb19227c89eb74cf05a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jul 28 23:20:42 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add Cisco to the list of clients that choke on the
|
|
hostkeys update extension. Pointed out by Howard Kash
|
|
|
|
Upstream-ID: c9eadde28ecec056c73d09ee10ba4570dfba7e84
|
|
|
|
commit 3f628c7b537291c1019ce86af90756fb4e66d0fd
|
|
Author: guenther@openbsd.org <guenther@openbsd.org>
|
|
Date: Mon Jul 27 16:29:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Permit kbind(2) use in the sandbox now, to ease testing
|
|
of ld.so work using it
|
|
|
|
reminded by miod@, ok deraadt@
|
|
|
|
Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413
|
|
|
|
commit ebe27ebe520098bbc0fe58945a87ce8490121edb
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Mon Jul 20 18:44:12 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Move .Pp before .Bl, not after to quiet mandoc -Tlint.
|
|
Noticed by jmc@
|
|
|
|
Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23
|
|
|
|
commit d5d91d0da819611167782c66ab629159169d94d4
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Mon Jul 20 18:42:35 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Sync usage with SYNOPSIS
|
|
|
|
Upstream-ID: 7a321a170181a54f6450deabaccb6ef60cf3f0b7
|
|
|
|
commit 79ec2142fbc68dd2ed9688608da355fc0b1ed743
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Mon Jul 20 15:39:52 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Better desciption of Unix domain socket forwarding.
|
|
bz#2423; ok jmc@
|
|
|
|
Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d
|
|
|
|
commit d56fd1828074a4031b18b8faa0bf949669eb18a0
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Jul 20 11:19:51 2015 +1000
|
|
|
|
make realpath.c compile -Wsign-compare clean
|
|
|
|
commit c63c9a691dca26bb7648827f5a13668832948929
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jul 20 00:30:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
mention that the default of UseDNS=no implies that
|
|
hostnames cannot be used for host matching in sshd_config and
|
|
authorized_keys; bz#2045, ok dtucker@
|
|
|
|
Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1
|
|
|
|
commit 63ebcd0005e9894fcd6871b7b80aeea1fec0ff76
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Jul 18 08:02:17 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't ignore PKCS#11 hosted keys that return empty
|
|
CKA_ID; patch by Jakub Jelen via bz#2429; ok markus
|
|
|
|
Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485
|
|
|
|
commit b15fd989c8c62074397160147a8d5bc34b3f3c63
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Jul 18 08:00:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
skip uninitialised PKCS#11 slots; patch from Jakub Jelen
|
|
in bz#2427 ok markus@
|
|
|
|
Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29
|
|
|
|
commit 5b64f85bb811246c59ebab70aed331f26ba37b18
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Jul 18 07:57:14 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
only query each keyboard-interactive device once per
|
|
authentication request regardless of how many times it is listed; ok markus@
|
|
|
|
Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
|
|
|
|
commit cd7324d0667794eb5c236d8a4e0f236251babc2d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 17 03:34:27 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
remove -u flag to diff (only used for error output) to make
|
|
things easier for -portable
|
|
|
|
Upstream-Regress-ID: a5d6777d2909540d87afec3039d9bb2414ade548
|
|
|
|
commit deb8d99ecba70b67f4af7880b11ca8768df9ec3a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 17 03:09:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
direct-streamlocal@openssh.com Unix domain foward
|
|
messages do not contain a "reserved for future use" field and in fact,
|
|
serverloop.c checks that there isn't one. Remove erroneous mention from
|
|
PROTOCOL description. bz#2421 from Daniel Black
|
|
|
|
Upstream-ID: 3d51a19e64f72f764682f1b08f35a8aa810a43ac
|
|
|
|
commit 356b61f365405b5257f5b2ab446e5d7bd33a7b52
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 17 03:04:27 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
describe magic for setting up Unix domain socket fowards
|
|
via the mux channel; bz#2422 patch from Daniel Black
|
|
|
|
Upstream-ID: 943080fe3864715c423bdeb7c920bb30c4eee861
|
|
|
|
commit d3e2aee41487d55b8d7d40f538b84ff1db7989bc
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jul 17 12:52:34 2015 +1000
|
|
|
|
Check if realpath works on nonexistent files.
|
|
|
|
On some platforms the native realpath doesn't work with non-existent
|
|
files (this is actually specified in some versions of POSIX), however
|
|
the sftp spec says its realpath with "canonicalize any given path name".
|
|
On those platforms, use realpath from the compat library.
|
|
|
|
In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines
|
|
the realpath symbol to the checked version, so redefine ours to
|
|
something else so we pick up the compat version we want.
|
|
|
|
bz#2428, ok djm@
|
|
|
|
commit 25b14610dab655646a109db5ef8cb4c4bf2a48a0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 17 02:47:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix incorrect test for SSH1 keys when compiled without SSH1
|
|
support
|
|
|
|
Upstream-ID: 6004d720345b8e481c405e8ad05ce2271726e451
|
|
|
|
commit df56a8035d429b2184ee94aaa7e580c1ff67f73a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 15 08:00:11 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix NULL-deref when SSH1 reenabled
|
|
|
|
Upstream-ID: f22fd805288c92b3e9646782d15b48894b2d5295
|
|
|
|
commit 41e38c4d49dd60908484e6703316651333f16b93
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 15 07:19:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regen RSA1 test keys; the last batch was missing their
|
|
private parts
|
|
|
|
Upstream-Regress-ID: 7ccf437305dd63ff0b48dd50c5fd0f4d4230c10a
|
|
|
|
commit 5bf0933184cb622ca3f96d224bf3299fd2285acc
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Fri Jul 10 06:23:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Adapt tests, now that DSA if off by default; use
|
|
PubkeyAcceptedKeyTypes and PubkeyAcceptedKeyTypes to test DSA.
|
|
|
|
Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c
|
|
|
|
commit 7a6e3fd7b41dbd3756b6bf9acd67954c0b1564cc
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Jul 7 14:54:16 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regen test data after mktestdata.sh changes
|
|
|
|
Upstream-Regress-ID: 3495ecb082b9a7c048a2d7c5c845d3bf181d25a4
|
|
|
|
commit 7c8c174c69f681d4910fa41c37646763692b28e2
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Jul 7 14:53:30 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adapt tests to new minimum RSA size and default FP format
|
|
|
|
Upstream-Regress-ID: a4b30afd174ce82b96df14eb49fb0b81398ffd0e
|
|
|
|
commit 6a977a4b68747ade189e43d302f33403fd4a47ac
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 3 04:39:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
legacy v00 certificates are gone; adapt and don't try to
|
|
test them; "sure" markus@ dtucker@
|
|
|
|
Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12
|
|
|
|
commit 0c4123ad5e93fb90fee9c6635b13a6cdabaac385
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 1 23:11:18 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't expect SSH v.1 in unittests
|
|
|
|
Upstream-Regress-ID: f8812b16668ba78e6a698646b2a652b90b653397
|
|
|
|
commit 3c099845798a817cdde513c39074ec2063781f18
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jun 15 06:38:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
turn SSH1 back on to match src/usr.bin/ssh being tested
|
|
|
|
Upstream-Regress-ID: 6c4f763a2f0cc6893bf33983919e9030ae638333
|
|
|
|
commit b1dc2b33689668c75e95f873a42d5aea1f4af1db
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon Jul 13 04:57:14 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add "PuTTY_Local:" to the clients to which we do not
|
|
offer DH-GEX. This was the string that was used for development versions
|
|
prior to September 2014 and they don't do RFC4419 DH-GEX, but unfortunately
|
|
there are some extant products based on those versions. bx2424 from Jay
|
|
Rouman, ok markus@ djm@
|
|
|
|
Upstream-ID: be34d41e18b966832fe09ca243d275b81882e1d5
|
|
|
|
commit 3a1638dda19bbc73d0ae02b4c251ce08e564b4b9
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Fri Jul 10 06:21:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Turn off DSA by default; add HostKeyAlgorithms to the
|
|
server and PubkeyAcceptedKeyTypes to the client side, so it still can be
|
|
tested or turned back on; feedback and ok djm@
|
|
|
|
Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
|
|
|
|
commit 16db0a7ee9a87945cc594d13863cfcb86038db59
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Thu Jul 9 09:49:46 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
re-enable ed25519-certs if compiled w/o openssl; ok djm
|
|
|
|
Upstream-ID: e10c90808b001fd2c7a93778418e9b318f5c4c49
|
|
|
|
commit c355bf306ac33de6545ce9dac22b84a194601e2f
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jul 8 20:24:02 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
no need to include the old buffer/key API
|
|
|
|
Upstream-ID: fb13c9f7c0bba2545f3eb0a0e69cb0030819f52b
|
|
|
|
commit a3cc48cdf9853f1e832d78cb29bedfab7adce1ee
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jul 8 19:09:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
typedefs for Cipher&CipherContext are unused
|
|
|
|
Upstream-ID: 50e6a18ee92221d23ad173a96d5b6c42207cf9a7
|
|
|
|
commit a635bd06b5c427a57c3ae760d3a2730bb2c863c0
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jul 8 19:04:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
xmalloc.h is unused
|
|
|
|
Upstream-ID: afb532355b7fa7135a60d944ca1e644d1d63cb58
|
|
|
|
commit 2521cf0e36c7f3f6b19f206da0af134f535e4a31
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jul 8 19:01:15 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
compress.c is gone
|
|
|
|
Upstream-ID: 174fa7faa9b9643cba06164b5e498591356fbced
|
|
|
|
commit c65a7aa6c43aa7a308ee1ab8a96f216169ae9615
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 3 04:05:54 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
another SSH_RSA_MINIMUM_MODULUS_SIZE that needed
|
|
cranking
|
|
|
|
Upstream-ID: 9d8826cafe96aab4ae8e2f6fd22800874b7ffef1
|
|
|
|
commit b1f383da5cd3cb921fc7776f17a14f44b8a31757
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 3 03:56:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add an XXX reminder for getting correct key paths from
|
|
sshd_config
|
|
|
|
Upstream-ID: feae52b209d7782ad742df04a4260e9fe41741db
|
|
|
|
commit 933935ce8d093996c34d7efa4d59113163080680
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 3 03:49:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
refuse to generate or accept RSA keys smaller than 1024
|
|
bits; feedback and ok dtucker@
|
|
|
|
Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
|
|
|
|
commit bdfd29f60b74f3e678297269dc6247a5699583c1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 3 03:47:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
turn off 1024 bit diffie-hellman-group1-sha1 key
|
|
exchange method (already off in server, this turns it off in the client by
|
|
default too) ok dtucker@
|
|
|
|
Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa
|
|
|
|
commit c28fc62d789d860c75e23a9fa9fb250eb2beca57
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jul 3 03:43:18 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
delete support for legacy v00 certificates; "sure"
|
|
markus@ dtucker@
|
|
|
|
Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
|
|
|
|
commit 564d63e1b4a9637a209d42a9d49646781fc9caef
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 1 23:10:47 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Compile-time disable SSH v.1 again
|
|
|
|
Upstream-ID: 1d4b513a3a06232f02650b73bad25100d1b800af
|
|
|
|
commit 868109b650504dd9bcccdb1f51d0906f967c20ff
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 1 02:39:06 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
twiddle PermitRootLogin back
|
|
|
|
Upstream-ID: 2bd23976305d0512e9f84d054e1fc23cd70b89f2
|
|
|
|
commit 7de4b03a6e4071d454b72927ffaf52949fa34545
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 1 02:32:17 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
twiddle; (this commit marks the openssh-6.9 release)
|
|
|
|
Upstream-ID: 78500582819f61dd8adee36ec5cc9b9ac9351234
|
|
|
|
commit 1bf477d3cdf1a864646d59820878783d42357a1d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 1 02:26:31 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
better refuse ForwardX11Trusted=no connections attempted
|
|
after ForwardX11Timeout expires; reported by Jann Horn
|
|
|
|
Upstream-ID: bf0fddadc1b46a0334e26c080038313b4b6dea21
|
|
|
|
commit 47aa7a0f8551b471fcae0447c1d78464f6dba869
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 1 01:56:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
put back default PermitRootLogin=no
|
|
|
|
Upstream-ID: 7bdedd5cead99c57ed5571f3b6b7840922d5f728
|
|
|
|
commit 984b064fe2a23733733262f88d2e1b2a1a501662
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 1 01:55:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
openssh-6.9
|
|
|
|
Upstream-ID: 6cfe8e1904812531080e6ab6e752d7001b5b2d45
|
|
|
|
commit d921082ed670f516652eeba50705e1e9f6325346
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jul 1 01:55:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
reset default PermitRootLogin to 'yes' (momentarily, for
|
|
release)
|
|
|
|
Upstream-ID: cad8513527066e65dd7a1c16363d6903e8cefa24
|
|
|
|
commit 66295e0e1ba860e527f191b6325d2d77dec4dbce
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 1 11:49:12 2015 +1000
|
|
|
|
crank version numbers for release
|
|
|
|
commit 37035c07d4f26bb1fbe000d2acf78efdb008681d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jul 1 10:49:37 2015 +1000
|
|
|
|
s/--with-ssh1/--without-ssh1/
|
|
|
|
commit 629df770dbadc2accfbe1c81b3f31f876d0acd84
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jun 30 05:25:07 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fatal() when a remote window update causes the window
|
|
value to overflow. Reported by Georg Wicherski, ok markus@
|
|
|
|
Upstream-ID: ead397a9aceb3bf74ebfa5fcaf259d72e569f351
|
|
|
|
commit f715afebe735d61df3fd30ad72d9ac1c8bd3b5f2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jun 30 05:23:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix math error in remote window calculations that causes
|
|
eventual stalls for datagram channels. Reported by Georg Wicherski, ok
|
|
markus@
|
|
|
|
Upstream-ID: be54059d11bf64e0d85061f7257f53067842e2ab
|
|
|
|
commit 52fb6b9b034fcfd24bf88cc7be313e9c31de9889
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jun 30 16:05:40 2015 +1000
|
|
|
|
skip IPv6-related portions on hosts without IPv6
|
|
|
|
with Tim Rice
|
|
|
|
commit 512caddf590857af6aa12218461b5c0441028cf5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jun 29 22:35:12 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add getpid to sandbox, reachable by grace_alarm_handler
|
|
|
|
reported by Jakub Jelen; bz#2419
|
|
|
|
Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
|
|
|
|
commit 78c2a4f883ea9aba866358e2acd9793a7f42ca93
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jun 26 05:13:20 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix \-escaping bug that caused forward path parsing to skip
|
|
two characters and skip past the end of the string.
|
|
|
|
Based on patch by Salvador Fandino; ok dtucker@
|
|
|
|
Upstream-ID: 7b879dc446335677cbe4cb549495636a0535f3bd
|
|
|
|
commit bc20205c91c9920361d12b15d253d4997dba494a
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jun 25 09:51:39 2015 +1000
|
|
|
|
add missing pselect6
|
|
|
|
patch from Jakub Jelen
|
|
|
|
commit 9d27fb73b4a4e5e99cb880af790d5b1ce44f720a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jun 24 23:47:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
correct test to sshkey_sign(); spotted by Albert S.
|
|
|
|
Upstream-ID: 5f7347f40f0ca6abdaca2edb3bd62f4776518933
|
|
|
|
commit 7ed01a96a1911d8b4a9ef4f3d064e1923bfad7e3
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Jun 24 01:49:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Revert previous commit. We still want to call setgroups
|
|
in the case where there are zero groups to remove any that we might otherwise
|
|
inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
|
|
to setgroups is always a static global it's always valid to dereference in
|
|
this case. ok deraadt@ djm@
|
|
|
|
Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
|
|
|
|
commit 882f8bf94f79528caa65b0ba71c185d705bb7195
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Jun 24 01:49:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Revert previous commit. We still want to call setgroups in
|
|
the case where there are zero groups to remove any that we might otherwise
|
|
inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
|
|
to setgroups is always a static global it's always valid to dereference in
|
|
this case. ok deraadt@ djm@
|
|
|
|
Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
|
|
|
|
commit 9488538a726951e82b3a4374f3c558d72c80a89b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jun 22 23:42:16 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Don't count successful partial authentication as failures
|
|
in monitor; this may have caused the monitor to refuse multiple
|
|
authentications that would otherwise have successfully completed; ok markus@
|
|
|
|
Upstream-ID: eb74b8e506714d0f649bd5c300f762a527af04a3
|
|
|
|
commit 63b78d003bd8ca111a736e6cea6333da50f5f09b
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon Jun 22 12:29:57 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Don't call setgroups if we have zero groups; there's no
|
|
guarantee that it won't try to deref the pointer. Based on a patch from mail
|
|
at quitesimple.org, ok djm deraadt
|
|
|
|
Upstream-ID: 2fff85e11d7a9a387ef7fddf41fbfaf566708ab1
|
|
|
|
commit 5c15e22c691c79a47747bcf5490126656f97cecd
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jun 18 15:07:56 2015 +1000
|
|
|
|
fix syntax error
|
|
|
|
commit 596dbca82f3f567fb3d2d69af4b4e1d3ba1e6403
|
|
Author: jsing@openbsd.org <jsing@openbsd.org>
|
|
Date: Mon Jun 15 18:44:22 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
If AuthorizedPrincipalsCommand is specified, however
|
|
AuthorizedPrincipalsFile is not (or is set to "none"), authentication will
|
|
potentially fail due to key_cert_check_authority() failing to locate a
|
|
principal that matches the username, even though an authorized principal has
|
|
already been matched in the output of the subprocess. Fix this by using the
|
|
same logic to determine if pw->pw_name should be passed, as is used to
|
|
determine if a authorized principal must be matched earlier on.
|
|
|
|
ok djm@
|
|
|
|
Upstream-ID: 43b42302ec846b0ea68aceb40677245391b9409d
|
|
|
|
commit aff3e94c0d75d0d0fa84ea392b50ab04f8c57905
|
|
Author: jsing@openbsd.org <jsing@openbsd.org>
|
|
Date: Mon Jun 15 18:42:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Make the arguments to match_principals_command() similar
|
|
to match_principals_file(), by changing the last argument a struct
|
|
sshkey_cert * and dereferencing key->cert in the caller.
|
|
|
|
No functional change.
|
|
|
|
ok djm@
|
|
|
|
Upstream-ID: 533f99b844b21b47342b32b62e198dfffcf8651c
|
|
|
|
commit 97e2e1596c202a4693468378b16b2353fd2d6c5e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jun 17 14:36:54 2015 +1000
|
|
|
|
trivial optimisation for seccomp-bpf
|
|
|
|
When doing arg inspection and the syscall doesn't match, skip
|
|
past the instruction that reloads the syscall into the accumulator,
|
|
since the accumulator hasn't been modified at this point.
|
|
|
|
commit 99f33d7304893bd9fa04d227cb6e870171cded19
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jun 17 10:50:51 2015 +1000
|
|
|
|
aarch64 support for seccomp-bpf sandbox
|
|
|
|
Also resort and tidy syscall list. Based on patches by Jakub Jelen
|
|
bz#2361; ok dtucker@
|
|
|
|
commit 4ef702e1244633c1025ec7cfe044b9ab267097bf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jun 15 01:32:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
return failure on RSA signature error; reported by Albert S
|
|
|
|
Upstream-ID: e61bb93dbe0349625807b0810bc213a6822121fa
|
|
|
|
commit a170f22baf18af0b1acf2788b8b715605f41a1f9
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Tue Jun 9 22:41:13 2015 -0700
|
|
|
|
Fix t12 rules for out of tree builds.
|
|
|
|
commit ec04dc4a5515c913121bc04ed261857e68fa5c18
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Fri Jun 5 15:13:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
For "ssh -L 12345:/tmp/sock" don't fail with "No forward host
|
|
name." (we have a path, not a host name). Based on a diff from Jared
|
|
Yanovich. OK djm@
|
|
|
|
Upstream-ID: 2846b0a8c7de037e33657f95afbd282837fc213f
|
|
|
|
commit 732d61f417a6aea0aa5308b59cb0f563bcd6edd6
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jun 5 03:44:14 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
typo: accidental repetition; bz#2386
|
|
|
|
Upstream-ID: 45e620d99f6bc301e5949d34a54027374991c88b
|
|
|
|
commit adfb24c69d1b6f5e758db200866c711e25a2ba73
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Jun 5 14:51:40 2015 +1000
|
|
|
|
Add Linux powerpc64le and powerpcle entries.
|
|
|
|
Stopgap to resolve bz#2409 because we are so close to release and will
|
|
update config.guess and friends shortly after the release. ok djm@
|
|
|
|
commit a1195a0fdc9eddddb04d3e9e44c4775431cb77da
|
|
Merge: 6397eed d2480bc
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Wed Jun 3 21:43:13 2015 -0700
|
|
|
|
Merge branch 'master' of git.mindrot.org:/var/git/openssh
|
|
|
|
commit 6397eedf953b2b973d2d7cbb504ab501a07f8ddc
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Wed Jun 3 21:41:11 2015 -0700
|
|
|
|
Remove unneeded backslashes. Patch from Ángel González
|
|
|
|
commit d2480bcac1caf31b03068de877a47d6e1027bf6d
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Jun 4 14:10:55 2015 +1000
|
|
|
|
Remove redundant include of stdarg.h. bz#2410
|
|
|
|
commit 5e67859a623826ccdf2df284cbb37e2d8e2787eb
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jun 2 09:10:40 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
mention CheckHostIP adding addresses to known_hosts;
|
|
bz#1993; ok dtucker@
|
|
|
|
Upstream-ID: fd44b68440fd0dc29abf9f2d3f703d74a2396cb7
|
|
|
|
commit d7a58bbac6583e33fd5eca8e2c2cc70c57617818
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Jun 2 20:15:26 2015 +1000
|
|
|
|
Replace strcpy with strlcpy.
|
|
|
|
ok djm, sanity check by Corinna Vinschen.
|
|
|
|
commit 51a1c2115265c6e80ede8a5c9dccada9aeed7143
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri May 29 18:27:21 2015 +1000
|
|
|
|
skip, rather than fatal when run without SUDO set
|
|
|
|
commit 599f01142a376645b15cbc9349d7e8975e1cf245
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri May 29 18:03:15 2015 +1000
|
|
|
|
fix merge botch that left ",," in KEX algs
|
|
|
|
commit 0c2a81dfc21822f2423edd30751e5ec53467b347
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri May 29 17:08:28 2015 +1000
|
|
|
|
re-enable SSH protocol 1 at compile time
|
|
|
|
commit db438f9285d64282d3ac9e8c0944f59f037c0151
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 29 03:05:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make this work without SUDO set; ok dtucker@
|
|
|
|
Upstream-Regress-ID: bca88217b70bce2fe52b23b8e06bdeb82d98c715
|
|
|
|
commit 1d9a2e2849c9864fe75daabf433436341c968e14
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 28 07:37:31 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
wrap all moduli-related code in #ifdef WITH_OPENSSL.
|
|
based on patch from Reuben Hawkins; bz#2388 feedback and ok dtucker@
|
|
|
|
Upstream-ID: d80cfc8be3e6ec65b3fac9e87c4466533b31b7cf
|
|
|
|
commit 496aeb25bc2d6c434171292e4714771b594bd00e
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu May 28 05:41:29 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Increase the allowed length of the known host file name
|
|
in the log message to be consistent with other cases. Part of bz#1993, ok
|
|
deraadt.
|
|
|
|
Upstream-ID: a9e97567be49f25daf286721450968251ff78397
|
|
|
|
commit dd2cfeb586c646ff8d70eb93567b2e559ace5b14
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu May 28 05:09:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix typo (keywork->keyword)
|
|
|
|
Upstream-ID: 8aacd0f4089c0a244cf43417f4f9045dfaeab534
|
|
|
|
commit 9cc6842493fbf23025ccc1edab064869640d3bec
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 28 04:50:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add error message on ftruncate failure; bz#2176
|
|
|
|
Upstream-ID: cbcc606e0b748520c74a210d8f3cc9718d3148cf
|
|
|
|
commit d1958793a0072c22be26d136dbda5ae263e717a0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 28 04:40:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make ssh-keygen default to ed25519 keys when compiled
|
|
without OpenSSL; bz#2388, ok dtucker@
|
|
|
|
Upstream-ID: 85a471fa6d3fa57a7b8e882d22cfbfc1d84cdc71
|
|
|
|
commit 3ecde664c9fc5fb3667aedf9e6671462600f6496
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed May 27 23:51:10 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Reorder client proposal to prefer
|
|
diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
|
|
|
Upstream-ID: 552c08d47347c3ee1a9a57d88441ab50abe17058
|
|
|
|
commit 40f64292b907afd0a674fdbf3e4c2356d17a7d68
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed May 27 23:39:18 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add a stronger (4k bit) fallback group that sshd can use
|
|
when the moduli file is missing or broken, sourced from RFC3526. bz#2302, ok
|
|
markus@ (earlier version), djm@
|
|
|
|
Upstream-ID: b635215746a25a829d117673d5e5a76d4baee7f4
|
|
|
|
commit 5ab7d5fa03ad55bc438fab45dfb3aeb30a3c237a
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu May 28 10:03:40 2015 +1000
|
|
|
|
New moduli file from OpenBSD, removing 1k groups.
|
|
|
|
Remove 1k bit groups. ok deraadt@, markus@
|
|
|
|
commit a71ba58adf34e599f30cdda6e9b93ae6e3937eea
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed May 27 05:15:02 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
support PKCS#11 devices with external PIN entry devices
|
|
bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@
|
|
|
|
Upstream-ID: 504568992b55a8fc984375242b1bd505ced61b0d
|
|
|
|
commit b282fec1aa05246ed3482270eb70fc3ec5f39a00
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue May 26 23:23:40 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Cap DH-GEX group size at 4kbits for Cisco implementations.
|
|
Some of them will choke when asked for preferred sizes >4k instead of
|
|
returning the 4k group that they do have. bz#2209, ok djm@
|
|
|
|
Upstream-ID: 54b863a19713446b7431f9d06ad0532b4fcfef8d
|
|
|
|
commit 3e91b4e8b0dc2b4b7e7d42cf6e8994a32e4cb55e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun May 24 23:39:16 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add missing 'c' option to getopt(), case statement was
|
|
already there; from Felix Bolte
|
|
|
|
Upstream-ID: 9b19b4e2e0b54d6fefa0dfac707c51cf4bae3081
|
|
|
|
commit 64a89ec07660abba4d0da7c0095b7371c98bab62
|
|
Author: jsg@openbsd.org <jsg@openbsd.org>
|
|
Date: Sat May 23 14:28:37 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix a memory leak in an error path ok markus@ dtucker@
|
|
|
|
Upstream-ID: bc1da0f205494944918533d8780fde65dff6c598
|
|
|
|
commit f948737449257d2cb83ffcfe7275eb79b677fd4a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 22 05:28:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
mention ssh-keygen -E for comparing legacy MD5
|
|
fingerprints; bz#2332
|
|
|
|
Upstream-ID: 079a3669549041dbf10dbc072d9563f0dc3b2859
|
|
|
|
commit 0882332616e4f0272c31cc47bf2018f9cb258a4e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 22 04:45:52 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Reorder EscapeChar option parsing to avoid a single-byte
|
|
out- of-bounds read. bz#2396 from Jaak Ristioja; ok dtucker@
|
|
|
|
Upstream-ID: 1dc6b5b63d1c8d9a88619da0b27ade461d79b060
|
|
|
|
commit d7c31da4d42c115843edee2074d7d501f8804420
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 22 03:50:02 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add knob to relax GSSAPI host credential check for
|
|
multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker
|
|
(kerberos/GSSAPI is not compiled by default on OpenBSD)
|
|
|
|
Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
|
|
|
|
commit aa72196a00be6e0b666215edcffbc10af234cb0e
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri May 22 17:49:46 2015 +1000
|
|
|
|
Include signal.h for sig_atomic_t, used by kex.h.
|
|
|
|
bz#2402, from tomas.kuthan at oracle com.
|
|
|
|
commit 8b02481143d75e91c49d1bfae0876ac1fbf9511a
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri May 22 12:47:24 2015 +1000
|
|
|
|
Import updated moduli file from OpenBSD.
|
|
|
|
commit 4739e8d5e1c0be49624082bd9f6b077e9e758db9
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 21 12:01:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Support "ssh-keygen -lF hostname" to find search known_hosts
|
|
and print key hashes. Already advertised by ssh-keygen(1), but not delivered
|
|
by code; ok dtucker@
|
|
|
|
Upstream-ID: 459e0e2bf39825e41b0811c336db2d56a1c23387
|
|
|
|
commit e97201feca10b5196da35819ae516d0b87cf3a50
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu May 21 17:55:15 2015 +1000
|
|
|
|
conditionalise util.h inclusion
|
|
|
|
commit 13640798c7dd011ece0a7d02841fe48e94cfa0e0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 21 06:44:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regress test for AuthorizedPrincipalsCommand
|
|
|
|
Upstream-Regress-ID: c658fbf1ab6b6011dc83b73402322e396f1e1219
|
|
|
|
commit 84452c5d03c21f9bfb28c234e0dc1dc67dd817b1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 21 06:40:02 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regress test for AuthorizedKeysCommand arguments
|
|
|
|
Upstream-Regress-ID: bbd65c13c6b3be9a442ec115800bff9625898f12
|
|
|
|
commit bcc50d816187fa9a03907ac1f3a52f04a52e10d1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 21 06:43:30 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add AuthorizedPrincipalsCommand that allows getting
|
|
authorized_principals from a subprocess rather than a file, which is quite
|
|
useful in deployments with large userbases
|
|
|
|
feedback and ok markus@
|
|
|
|
Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
|
|
|
|
commit 24232a3e5ab467678a86aa67968bbb915caffed4
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 21 06:38:35 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
support arguments to AuthorizedKeysCommand
|
|
|
|
bz#2081 loosely based on patch by Sami Hartikainen
|
|
feedback and ok markus@
|
|
|
|
Upstream-ID: b080387a14aa67dddd8ece67c00f268d626541f7
|
|
|
|
commit d80fbe41a57c72420c87a628444da16d09d66ca7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu May 21 04:55:51 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
refactor: split base64 encoding of pubkey into its own
|
|
sshkey_to_base64() function and out of sshkey_write(); ok markus@
|
|
|
|
Upstream-ID: 54fc38f5832e9b91028900819bda46c3959a0c1a
|
|
|
|
commit 7cc44ef74133a473734bbcbd3484f24d6a7328c5
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Mon May 18 15:06:05 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
getentropy() and sendsyslog() have been around long
|
|
enough. openssh-portable may want the #ifdef's but not base. discussed with
|
|
djm few weeks back
|
|
|
|
Upstream-ID: 0506a4334de108e3fb6c66f8d6e0f9c112866926
|
|
|
|
commit 9173d0fbe44de7ebcad8a15618e13a8b8d78902e
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri May 15 05:44:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Use a salted hash of the lock passphrase instead of plain
|
|
text and do constant-time comparisons of it. Should prevent leaking any
|
|
information about it via timing, pointed out by Ryan Castellucci. Add a 0.1s
|
|
incrementing delay for each failed unlock attempt up to 10s. ok markus@
|
|
(earlier version), djm@
|
|
|
|
Upstream-ID: c599fcc325aa1cc65496b25220b622d22208c85f
|
|
|
|
commit d028d5d3a697c71b21e4066d8672cacab3caa0a8
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue May 5 19:10:58 2015 +1000
|
|
|
|
upstream commit
|
|
|
|
- tedu@cvs.openbsd.org 2015/01/12 03:20:04
|
|
[bcrypt_pbkdf.c]
|
|
rename blocks to words. bcrypt "blocks" are unrelated to blowfish blocks,
|
|
nor are they the same size.
|
|
|
|
commit f6391d4e59b058984163ab28f4e317e7a72478f1
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue May 5 19:10:23 2015 +1000
|
|
|
|
upstream commit
|
|
|
|
- deraadt@cvs.openbsd.org 2015/01/08 00:30:07
|
|
[bcrypt_pbkdf.c]
|
|
declare a local version of MIN(), call it MINIMUM()
|
|
|
|
commit 8ac6b13cc9113eb47cd9e86c97d7b26b4b71b77f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue May 5 19:09:46 2015 +1000
|
|
|
|
upstream commit
|
|
|
|
- djm@cvs.openbsd.org 2014/12/30 01:41:43
|
|
[bcrypt_pbkdf.c]
|
|
typo in comment: ouput => output
|
|
|
|
commit 1f792489d5cf86a4f4e3003e6e9177654033f0f2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon May 4 06:10:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Remove pattern length argument from match_pattern_list(), we
|
|
only ever use it for strlen(pattern).
|
|
|
|
Prompted by hanno AT hboeck.de pointing an out-of-bound read
|
|
error caused by an incorrect pattern length found using AFL
|
|
and his own tools.
|
|
|
|
ok markus@
|
|
|
|
commit 639d6bc57b1942393ed12fb48f00bc05d4e093e4
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 1 07:10:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
refactor ssh_dispatch_run_fatal() to use sshpkt_fatal()
|
|
to better report error conditions. Teach sshpkt_fatal() about ECONNRESET.
|
|
|
|
Improves error messages on TCP connection resets. bz#2257
|
|
|
|
ok dtucker@
|
|
|
|
commit 9559d7de34c572d4d3fd990ca211f8ec99f62c4d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 1 07:08:08 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
a couple of parse targets were missing activep checks,
|
|
causing them to be misapplied in match context; bz#2272 diagnosis and
|
|
original patch from Sami Hartikainen ok dtucker@
|
|
|
|
commit 7e8528cad04b2775c3b7db08abf8fb42e47e6b2a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 1 04:17:51 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make handling of AuthorizedPrincipalsFile=none more
|
|
consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
|
|
|
commit ca430d4d9cc0f62eca3b1fb1e2928395b7ce80f7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 1 04:03:20 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
remove failed remote forwards established by muliplexing
|
|
from the list of active forwards; bz#2363, patch mostly by Yoann Ricordel; ok
|
|
dtucker@
|
|
|
|
commit 8312cfb8ad88657517b3e23ac8c56c8e38eb9792
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 1 04:01:58 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
reduce stderr spam when using ssh -S /path/mux -O forward
|
|
-R 0:... ok dtucker@
|
|
|
|
commit 179be0f5e62f1f492462571944e45a3da660d82b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 1 03:23:51 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
prevent authorized_keys options picked up on public key
|
|
tests without a corresponding private key authentication being applied to
|
|
other authentication methods. Reported by halex@, ok markus@
|
|
|
|
commit a42d67be65b719a430b7fcaba2a4e4118382723a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 1 03:20:54 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Don't make parsing of authorized_keys' environment=
|
|
option conditional on PermitUserEnv - always parse it, but only use the
|
|
result if the option is enabled. This prevents the syntax of authorized_keys
|
|
changing depending on which sshd_config options were enabled.
|
|
|
|
bz#2329; based on patch from coladict AT gmail.com, ok dtucker@
|
|
|
|
commit e661a86353e11592c7ed6a847e19a83609f49e77
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon May 4 06:10:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Remove pattern length argument from match_pattern_list(), we
|
|
only ever use it for strlen(pattern).
|
|
|
|
Prompted by hanno AT hboeck.de pointing an out-of-bound read
|
|
error caused by an incorrect pattern length found using AFL
|
|
and his own tools.
|
|
|
|
ok markus@
|
|
|
|
commit 0ef1de742be2ee4b10381193fe90730925b7f027
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Apr 23 05:01:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add a simple regression test for sshd's configuration
|
|
parser. Right now, all it does is run the output of sshd -T back through
|
|
itself and ensure the output is valid and invariant.
|
|
|
|
commit 368f83c793275faa2c52f60eaa9bdac155c4254b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Apr 22 01:38:36 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
use correct key for nested certificate test
|
|
|
|
commit 8d4d1bfddbbd7d21f545dc6997081d1ea1fbc99a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 1 07:11:47 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
mention that the user's shell from /etc/passwd is used
|
|
for commands too; bz#1459 ok dtucker@
|
|
|
|
commit 5ab283d0016bbc9d4d71e8e5284d011bc5a930cf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 8 07:29:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
whitespace
|
|
|
|
Upstream-Regress-ID: 6b708a3e709d5b7fd37890f874bafdff1f597519
|
|
|
|
commit 8377d5008ad260048192e1e56ad7d15a56d103dd
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 8 07:26:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
whitespace at EOL
|
|
|
|
Upstream-Regress-ID: 9c48911643d5b05173b36a012041bed4080b8554
|
|
|
|
commit c28a3436fa8737709ea88e4437f8f23a6ab50359
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 8 06:45:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
moar whitespace at eol
|
|
|
|
Upstream-ID: 64eaf872a3ba52ed41e494287e80d40aaba4b515
|
|
|
|
commit 2b64c490468fd4ca35ac8d5cc31c0520dc1508bb
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 8 06:41:56 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
whitespace at EOL
|
|
|
|
Upstream-ID: 57bcf67d666c6fc1ad798aee448fdc3f70f7ec2c
|
|
|
|
commit 4e636cf201ce6e7e3b9088568218f9d4e2c51712
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 8 03:56:51 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
whitespace at EOL
|
|
|
|
commit 38b8272f823dc1dd4e29dbcee83943ed48bb12fa
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon May 4 01:47:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Use diff w/out -u for better portability
|
|
|
|
commit 297060f42d5189a4065ea1b6f0afdf6371fb0507
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri May 8 03:25:07 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Use xcalloc for permitted_adm_opens instead of xmalloc to
|
|
ensure it's zeroed. Fixes post-auth crash with permitopen=none. bz#2355, ok
|
|
djm@
|
|
|
|
commit 63ebf019be863b2d90492a85e248cf55a6e87403
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri May 8 03:17:49 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't choke on new-format private keys encrypted with an
|
|
AEAD cipher; bz#2366, patch from Ron Frederick; ok markus@
|
|
|
|
commit f8484dac678ab3098ae522a5f03bb2530f822987
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed May 6 05:45:17 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Clarify pseudo-terminal request behaviour and use
|
|
"pseudo-terminal" consistently. bz#1716, ok jmc@ "I like it" deraadt@.
|
|
|
|
commit ea139507bef8bad26e86ed99a42c7233ad115c38
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed May 6 04:07:18 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Blacklist DH-GEX for specific PuTTY versions known to
|
|
send non-RFC4419 DH-GEX messages rather than all versions of PuTTY.
|
|
According to Simon Tatham, 0.65 and newer versions will send RFC4419 DH-GEX
|
|
messages. ok djm@
|
|
|
|
commit b58234f00ee3872eb84f6e9e572a9a34e902e36e
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue May 5 10:17:49 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
WinSCP doesn't implement RFC4419 DH-GEX so flag it so we
|
|
don't offer that KEX method. ok markus@
|
|
|
|
commit d5b1507a207253b39e810e91e68f9598691b7a29
|
|
Author: jsg@openbsd.org <jsg@openbsd.org>
|
|
Date: Tue May 5 02:48:17 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
use the sizeof the struct not the sizeof a pointer to the
|
|
struct in ssh_digest_start()
|
|
|
|
This file is only used if ssh is built with OPENSSL=no
|
|
|
|
ok markus@
|
|
|
|
commit a647b9b8e616c231594b2710c925d31b1b8afea3
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri May 8 11:07:27 2015 +1000
|
|
|
|
Put brackets around mblen() compat constant.
|
|
|
|
This might help with the reported problem cross compiling for Android
|
|
("error: expected identifier or '(' before numeric constant") but
|
|
shouldn't hurt in any case.
|
|
|
|
commit d1680d36e17244d9af3843aeb5025cb8e40d6c07
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Apr 30 09:18:11 2015 +1000
|
|
|
|
xrealloc -> xreallocarray in portable code too.
|
|
|
|
commit 531a57a3893f9fcd4aaaba8c312b612bbbcc021e
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Apr 29 03:48:56 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Allow ListenAddress, Port and AddressFamily in any
|
|
order. bz#68, ok djm@, jmc@ (for the man page bit).
|
|
|
|
commit c1d5bcf1aaf1209af02f79e48ba1cbc76a87b56f
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Tue Apr 28 13:47:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
enviroment -> environment: apologies to darren for not
|
|
spotting that first time round...
|
|
|
|
commit 43beea053db191cac47c2cd8d3dc1930158aff1a
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue Apr 28 10:25:15 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Fix typo in previous
|
|
|
|
commit 85b96ef41374f3ddc9139581f87da09b2cd9199e
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue Apr 28 10:17:58 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Document that the TERM environment variable is not
|
|
subject to SendEnv and AcceptEnv. bz#2386, based loosely on a patch from
|
|
jjelen at redhat, help and ok jmc@
|
|
|
|
commit 88a7c598a94ff53f76df228eeaae238d2d467565
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Apr 27 21:42:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Make sshd default to PermitRootLogin=no; ok deraadt@
|
|
rpe@
|
|
|
|
commit 734226b4480a6c736096c729fcf6f391400599c7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Apr 27 01:52:30 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix compilation with OPENSSL=no; ok dtucker@
|
|
|
|
commit a4b9d2ce1eb7703eaf0809b0c8a82ded8aa4f1c6
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Mon Apr 27 00:37:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Include stdio.h for FILE (used in sshkey.h) so it
|
|
compiles with OPENSSL=no.
|
|
|
|
commit dbcc652f4ca11fe04e5930c7ef18a219318c6cda
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Apr 27 00:21:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
allow "sshd -f none" to skip reading the config file,
|
|
much like "ssh -F none" does. ok dtucker
|
|
|
|
commit b7ca276fca316c952f0b90f5adb1448c8481eedc
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Fri Apr 24 06:26:49 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
combine -Dd onto one line and update usage();
|
|
|
|
commit 2ea974630d7017e4c7666d14d9dc939707613e96
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 24 05:26:44 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add ssh-agent -D to leave ssh-agent in foreground
|
|
without enabling debug mode; bz#2381 ok dtucker@
|
|
|
|
commit 8ac2ffd7aa06042f6b924c87139f2fea5c5682f7
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Fri Apr 24 01:36:24 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
2*len -> use xreallocarray() ok djm
|
|
|
|
commit 657a5fbc0d0aff309079ff8fb386f17e964963c2
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Fri Apr 24 01:36:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
rename xrealloc() to xreallocarray() since it follows
|
|
that form. ok djm
|
|
|
|
commit 1108ae242fdd2c304307b68ddf46aebe43ebffaa
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Apr 23 04:59:10 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Two small fixes for sshd -T: ListenAddress'es are added
|
|
to a list head so reverse the order when printing them to ensure the
|
|
behaviour remains the same, and print StreamLocalBindMask as octal with
|
|
leading zero. ok deraadt@
|
|
|
|
commit bd902b8473e1168f19378d5d0ae68d0c203525df
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Apr 23 04:53:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Check for and reject missing arguments for
|
|
VersionAddendum and ForceCommand. bz#2281, patch from plautrba at redhat com,
|
|
ok djm@
|
|
|
|
commit ca42c1758575e592239de1d5755140e054b91a0d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Apr 22 01:24:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unknown certificate extensions are non-fatal, so don't
|
|
fatal when they are encountered; bz#2387 reported by Bob Van Zant; ok
|
|
dtucker@
|
|
|
|
commit 39bfbf7caad231cc4bda6909fb1af0705bca04d8
|
|
Author: jsg@openbsd.org <jsg@openbsd.org>
|
|
Date: Tue Apr 21 07:01:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add back a backslash removed in rev 1.42 so
|
|
KEX_SERVER_ENCRYPT will include aes again.
|
|
|
|
ok deraadt@
|
|
|
|
commit 6b0d576bb87eca3efd2b309fcfe4edfefc289f9c
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 17 13:32:09 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
s/recommended/required/ that private keys be og-r this
|
|
wording change was made a while ago but got accidentally reverted
|
|
|
|
commit 44a8e7ce6f3ab4c2eb1ae49115c210b98e53c4df
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 17 13:25:52 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't try to cleanup NULL KEX proposals in
|
|
kex_prop_free(); found by Jukka Taimisto and Markus Hietava
|
|
|
|
commit 3038a191872d2882052306098c1810d14835e704
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 17 13:19:22 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
use error/logit/fatal instead of fprintf(stderr, ...)
|
|
and exit(0), fix a few errors that were being printed to stdout instead of
|
|
stderr and a few non-errors that were going to stderr instead of stdout
|
|
bz#2325; ok dtucker
|
|
|
|
commit a58be33cb6cd24441fa7e634db0e5babdd56f07f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 17 13:16:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
debug log missing DISPLAY environment when X11
|
|
forwarding requested; bz#1682 ok dtucker@
|
|
|
|
commit 17d4d9d9fbc8fb80e322f94d95eecc604588a474
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 17 04:32:31 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't call record_login() in monitor when UseLogin is
|
|
enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
|
|
|
commit 40132ff87b6cbc3dc05fb5df2e9d8e3afa06aafd
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Apr 17 04:12:35 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add some missing options to sshd -T and fix the output
|
|
of VersionAddendum HostCertificate. bz#2346, patch from jjelen at redhat
|
|
com, ok djm.
|
|
|
|
commit 6cc7cfa936afde2d829e56ee6528c7ea47a42441
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Apr 16 23:25:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Document "none" for PidFile XAuthLocation
|
|
TrustedUserCAKeys and RevokedKeys. bz#2382, feedback from jmc@, ok djm@
|
|
|
|
commit 15fdfc9b1c6808b26bc54d4d61a38b54541763ed
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Wed Apr 15 23:23:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Plug leak of address passed to logging. bz#2373, patch
|
|
from jjelen at redhat, ok markus@
|
|
|
|
commit bb2289e2a47d465eaaaeff3dee2a6b7777b4c291
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Tue Apr 14 04:17:03 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Output remote username in debug output since with Host
|
|
and Match it's not always obvious what it will be. bz#2368, ok djm@
|
|
|
|
commit 70860b6d07461906730632f9758ff1b7c98c695a
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Apr 17 10:56:13 2015 +1000
|
|
|
|
Format UsePAM setting when using sshd -T.
|
|
|
|
Part of bz#2346, patch from jjelen at redhat com.
|
|
|
|
commit ee15d9c9f0720f5a8b0b34e4b10ecf21f9824814
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Apr 17 10:40:23 2015 +1000
|
|
|
|
Wrap endian.h include inside ifdef (bz#2370).
|
|
|
|
commit 408f4c2ad4a4c41baa7b9b2b7423d875abbfa70b
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Fri Apr 17 09:39:58 2015 +1000
|
|
|
|
Look for '${host}-ar' before 'ar'.
|
|
|
|
This changes configure.ac to look for '${host}-ar' as set by
|
|
AC_CANONICAL_HOST before looking for the unprefixed 'ar'.
|
|
Useful when cross-compiling when all your binutils are prefixed.
|
|
|
|
Patch from moben at exherbo org via astrand at lysator liu se and
|
|
bz#2352.
|
|
|
|
commit 673a1c16ad078d41558247ce739fe812c960acc8
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Thu Apr 16 11:40:20 2015 +1000
|
|
|
|
remove dependency on arpa/telnet.h
|
|
|
|
commit 202d443eeda1829d336595a3cfc07827e49f45ed
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Apr 15 15:59:49 2015 +1000
|
|
|
|
Remove duplicate include of pwd.h. bz#2337, patch from Mordy Ovits.
|
|
|
|
commit 597986493412c499f2bc2209420cb195f97b3668
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Thu Apr 9 10:14:48 2015 +1000
|
|
|
|
platform's with openpty don't need pty_release
|
|
|
|
commit 318be28cda1fd9108f2e6f2f86b0b7589ba2aed0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Apr 13 02:04:08 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
deprecate ancient, pre-RFC4419 and undocumented
|
|
SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message; ok markus@ deraadt@ "seems
|
|
reasonable" dtucker@
|
|
|
|
commit d8f391caef62378463a0e6b36f940170dadfe605
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Fri Apr 10 05:16:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Don't send hostkey advertisments
|
|
(hostkeys-00@openssh.com) to current versions of Tera Term as they can't
|
|
handle them. Newer versions should be OK. Patch from Bryan Drewery and
|
|
IWAMOTO Kouichi, ok djm@
|
|
|
|
commit 2c2cfe1a1c97eb9a08cc9817fd0678209680c636
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 10 00:08:55 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
include port number if a non-default one has been
|
|
specified; based on patch from Michael Handler
|
|
|
|
commit 4492a4f222da4cf1e8eab12689196322e27b08c4
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Apr 7 23:00:42 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
treat Protocol=1,2|2,1 as Protocol=2 when compiled
|
|
without SSH1 support; ok dtucker@ millert@
|
|
|
|
commit c265e2e6e932efc6d86f6cc885dea33637a67564
|
|
Author: miod@openbsd.org <miod@openbsd.org>
|
|
Date: Sun Apr 5 15:43:43 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Do not use int for sig_atomic_t; spotted by
|
|
christos@netbsd; ok markus@
|
|
|
|
commit e7bf3a5eda6a1b02bef6096fed78527ee11e54cc
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Apr 7 10:48:04 2015 +1000
|
|
|
|
Use do{}while(0) for no-op functions.
|
|
|
|
From FreeBSD.
|
|
|
|
commit bb99844abae2b6447272f79e7fa84134802eb4df
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Apr 7 10:47:15 2015 +1000
|
|
|
|
Wrap blf.h include in ifdef. From FreeBSD.
|
|
|
|
commit d9b9b43656091cf0ad55c122f08fadb07dad0abd
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Apr 7 09:10:00 2015 +1000
|
|
|
|
Fix misspellings of regress CONFOPTS env variables.
|
|
|
|
Patch from Bryan Drewery.
|
|
|
|
commit 3f4ea3c9ab1d32d43c9222c4351f58ca11144156
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Apr 3 22:17:27 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
correct return value in pubkey parsing, spotted by Ben Hawkes
|
|
ok markus@
|
|
|
|
commit 7da2be0cb9601ed25460c83aa4d44052b967ba0f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 31 22:59:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adapt to recent hostfile.c change: when parsing
|
|
known_hosts without fully parsing the keys therein, hostkeys_foreach() will
|
|
now correctly identify KEY_RSA1 keys; ok markus@ miod@
|
|
|
|
commit 9e1777a0d1c706714b055811c12ab8cc21033e4a
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Mar 24 20:19:15 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
use ${SSH} for -Q instead of installed ssh
|
|
|
|
commit ce1b358ea414a2cc88e4430cd5a2ea7fecd9de57
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Mar 16 22:46:14 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make CLEANFILES clean up more of the tests' droppings
|
|
|
|
commit 398f9ef192d820b67beba01ec234d66faca65775
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 31 22:57:06 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
downgrade error() for known_hosts parse errors to debug()
|
|
to quiet warnings from ssh1 keys present when compiled !ssh1.
|
|
|
|
also identify ssh1 keys when scanning, even when compiled !ssh1
|
|
|
|
ok markus@ miod@
|
|
|
|
commit 9a47ab80030a31f2d122b8fd95bd48c408b9fcd9
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 31 22:55:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fd leak for !ssh1 case; found by unittests; ok markus@
|
|
|
|
commit c9a0805a6280681901c270755a7cd630d7c5280e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 31 22:55:24 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't fatal when a !ssh1 sshd is reexeced from a w/ssh1
|
|
listener; reported by miod@; ok miod@ markus@
|
|
|
|
commit 704d8c88988cae38fb755a6243b119731d223222
|
|
Author: tobias@openbsd.org <tobias@openbsd.org>
|
|
Date: Tue Mar 31 11:06:49 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Comments are only supported for RSA1 keys. If a user
|
|
tried to add one and entered his passphrase, explicitly clear it before exit.
|
|
This is done in all other error paths, too.
|
|
|
|
ok djm
|
|
|
|
commit 78de1673c05ea2c33e0d4a4b64ecb5186b6ea2e9
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Mon Mar 30 18:28:37 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
ssh-askpass(1) is the default, overridden by SSH_ASKPASS;
|
|
diff originally from jiri b;
|
|
|
|
commit 26e0bcf766fadb4a44fb6199386fb1dcab65ad00
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Mar 30 00:00:29 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix uninitialised memory read when parsing a config file
|
|
consisting of a single nul byte. Found by hanno AT hboeck.de using AFL; ok
|
|
dtucker
|
|
|
|
commit fecede00a76fbb33a349f5121c0b2f9fbc04a777
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Thu Mar 26 19:32:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
sigp and lenp are not optional in ssh_agent_sign(); ok
|
|
djm@
|
|
|
|
commit 1b0ef3813244c78669e6d4d54c624f600945327d
|
|
Author: naddy@openbsd.org <naddy@openbsd.org>
|
|
Date: Thu Mar 26 12:32:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't try to load .ssh/identity by default if SSH1 is
|
|
disabled; ok markus@
|
|
|
|
commit f9b78852379b74a2d14e6fc94fe52af30b7e9c31
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Mar 26 07:00:04 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
ban all-zero curve25519 keys as recommended by latest
|
|
CFRG curves draft; ok markus
|
|
|
|
commit b8afbe2c1aaf573565e4da775261dfafc8b1ba9c
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Mar 26 06:59:28 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
relax bits needed check to allow
|
|
diffie-hellman-group1-sha1 key exchange to complete for chacha20-poly1305 was
|
|
selected as symmetric cipher; ok markus
|
|
|
|
commit 47842f71e31da130555353c1d57a1e5a8937f1c0
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Mar 25 19:29:58 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
ignore v1 errors on ssh-add -D; only try v2 keys on
|
|
-l/-L (unless WITH_SSH1) ok djm@
|
|
|
|
commit 5f57e77f91bf2230c09eca96eb5ecec39e5f2da6
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Mar 25 19:21:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unbreak ssh_agent_sign (lenp vs *lenp)
|
|
|
|
commit 4daeb67181054f2a377677fac919ee8f9ed3490e
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Mar 24 20:10:08 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't leak 'setp' on error; noted by Nicholas Lemonias;
|
|
ok djm@
|
|
|
|
commit 7d4f96f9de2a18af0d9fa75ea89a4990de0344f5
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Mar 24 20:09:11 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
consistent check for NULL as noted by Nicholas
|
|
Lemonias; ok djm@
|
|
|
|
commit df100be51354e447d9345cf1ec22e6013c0eed50
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Mar 24 20:03:44 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
correct fmt-string for size_t as noted by Nicholas
|
|
Lemonias; ok djm@
|
|
|
|
commit a22b9ef21285e81775732436f7c84a27bd3f71e0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 24 09:17:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
promote chacha20-poly1305@openssh.com to be the default
|
|
cipher; ok markus
|
|
|
|
commit 2aa9da1a3b360cf7b13e96fe1521534b91501fb5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 24 01:29:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Compile-time disable SSH protocol 1. You can turn it
|
|
back on using the Makefile.inc knob if you need it to talk to ancient
|
|
devices.
|
|
|
|
commit 53097b2022154edf96b4e8526af5666f979503f7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 24 01:11:12 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix double-negative error message "ssh1 is not
|
|
unsupported"
|
|
|
|
commit 5c27e3b6ec2db711dfcd40e6359c0bcdd0b62ea9
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Mar 23 06:06:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
for ssh-keygen -A, don't try (and fail) to generate ssh
|
|
v.1 keys when compiled without SSH1 support RSA/DSA/ECDSA keys when compiled
|
|
without OpenSSL based on patch by Mike Frysinger; bz#2369
|
|
|
|
commit 725fd22a8c41db7de73a638539a5157b7e4424ae
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Mar 18 01:44:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
KRL support doesn't need OpenSSL anymore, remove #ifdefs
|
|
from around call
|
|
|
|
commit b07011c18e0b2e172c5fd09d21fb159a0bf5fcc7
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Mar 16 11:09:52 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
#if 0 some more arrays used only for decrypting (we don't
|
|
use since we only need encrypt for AES-CTR)
|
|
|
|
commit 1cb3016635898d287e9d58b50c430995652d5358
|
|
Author: jsg@openbsd.org <jsg@openbsd.org>
|
|
Date: Wed Mar 11 00:48:39 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add back the changes from rev 1.206, djm reverted this by
|
|
mistake in rev 1.207
|
|
|
|
commit 4d24b3b6a4a6383e05e7da26d183b79fa8663697
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Mar 20 09:11:59 2015 +1100
|
|
|
|
remove error() accidentally inserted for debugging
|
|
|
|
pointed out by Christian Hesse
|
|
|
|
commit 9f82e5a9042f2d872e98f48a876fcab3e25dd9bb
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Mon Mar 16 22:49:20 2015 -0700
|
|
|
|
portability fix: Solaris systems may not have a grep that understands -q
|
|
|
|
commit 8ef691f7d9ef500257a549d0906d78187490668f
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Wed Mar 11 10:35:26 2015 +1100
|
|
|
|
fix compile with clang
|
|
|
|
commit 4df590cf8dc799e8986268d62019b487a8ed63ad
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Wed Mar 11 10:02:39 2015 +1100
|
|
|
|
make unit tests work for !OPENSSH_HAS_ECC
|
|
|
|
commit 307bb40277ca2c32e97e61d70d1ed74b571fd6ba
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Mar 7 04:41:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unbreak for w/SSH1 (default) case; ok markus@ deraadt@
|
|
|
|
commit b44ee0c998fb4c5f3c3281f2398af5ce42840b6f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Mar 5 18:39:20 2015 -0800
|
|
|
|
unbreak hostkeys test for w/ SSH1 case
|
|
|
|
commit 55e5bdeb519cb60cc18b7ba0545be581fb8598b4
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Mar 6 01:40:56 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix sshkey_certify() return value for unsupported key types;
|
|
ok markus@ deraadt@
|
|
|
|
commit be8f658e550a434eac04256bfbc4289457a24e99
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Mar 4 15:38:03 2015 -0800
|
|
|
|
update version numbers to match version.h
|
|
|
|
commit ac5e8acefa253eb5e5ba186e34236c0e8007afdc
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Mar 4 23:22:35 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make these work with !SSH1; ok markus@ deraadt@
|
|
|
|
commit 2f04af92f036b0c87a23efb259c37da98cd81fe6
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Mar 4 21:12:59 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make ssh-add -D work with !SSH1 agent
|
|
|
|
commit a05adf95d2af6abb2b7826ddaa7a0ec0cdc1726b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Mar 4 00:55:48 2015 -0800
|
|
|
|
netcat needs poll.h portability goop
|
|
|
|
commit dad2b1892b4c1b7e58df483a8c5b983c4454e099
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Mar 3 22:35:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make it possible to run tests w/o ssh1 support; ok djm@
|
|
|
|
commit d48a22601bdd3eec054794c535f4ae8d8ae4c6e2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Mar 4 18:53:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
crank; ok markus, deraadt
|
|
|
|
commit bbffb23daa0b002dd9f296e396a9ab8a5866b339
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Mar 3 13:50:27 2015 -0800
|
|
|
|
more --without-ssh1 fixes
|
|
|
|
commit 6c2039286f503e2012a58a1d109e389016e7a99b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Mar 3 13:48:48 2015 -0800
|
|
|
|
fix merge both that broke --without-ssh1 compile
|
|
|
|
commit 111dfb225478a76f89ecbcd31e96eaf1311b59d3
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 3 21:21:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add SSH1 Makefile knob to make it easier to build without
|
|
SSH1 support; ok markus@
|
|
|
|
commit 3f7f5e6c5d2aa3f6710289c1a30119e534e56c5c
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 3 20:42:49 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
expand __unused to full __attribute__ for better portability
|
|
|
|
commit 2fab9b0f8720baf990c931e3f68babb0bf9949c6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Mar 4 07:41:27 2015 +1100
|
|
|
|
avoid warning
|
|
|
|
commit d1bc844322461f882b4fd2277ba9a8d4966573d2
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Mar 4 06:31:45 2015 +1100
|
|
|
|
Revert "define __unused to nothing if not already defined"
|
|
|
|
This reverts commit 1598419e38afbaa8aa5df8dd6b0af98301e2c908.
|
|
|
|
Some system headers have objects named __unused
|
|
|
|
commit 00797e86b2d98334d1bb808f65fa1fd47f328ff1
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Mar 4 05:02:45 2015 +1100
|
|
|
|
check for crypt and DES_crypt in openssl block
|
|
|
|
fixes builds on systems that use DES_crypt; based on patch
|
|
from Roumen Petrov
|
|
|
|
commit 1598419e38afbaa8aa5df8dd6b0af98301e2c908
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Mar 4 04:59:13 2015 +1100
|
|
|
|
define __unused to nothing if not already defined
|
|
|
|
fixes builds on BSD/OS
|
|
|
|
commit d608a51daad4f14ad6ab43d7cf74ef4801cc3fe9
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 3 17:53:40 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
reorder logic for better portability; patch from Roumen
|
|
Petrov
|
|
|
|
commit 68d2dfc464fbcdf8d6387884260f9801f4352393
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Mar 3 06:48:58 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Allow "ssh -Q protocol-version" to list supported SSH
|
|
protocol versions. Useful for detecting builds without SSH v.1 support; idea
|
|
and ok markus@
|
|
|
|
commit 39e2f1229562e1195169905607bc12290d21f021
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Sun Mar 1 15:44:40 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Make sure we only call getnameinfo() for AF_INET or AF_INET6
|
|
sockets. getpeername() of a Unix domain socket may return without error on
|
|
some systems without actually setting ss_family so getnameinfo() was getting
|
|
called with ss_family set to AF_UNSPEC. OK djm@
|
|
|
|
commit e47536ba9692d271b8ad89078abdecf0a1c11707
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Feb 28 08:20:11 2015 -0800
|
|
|
|
portability fixes for regress/netcat.c
|
|
|
|
Mostly avoiding "err(1, NULL)"
|
|
|
|
commit 02973ad5f6f49d8420e50a392331432b0396c100
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sat Feb 28 08:05:27 2015 -0800
|
|
|
|
twiddle another test for portability
|
|
|
|
from Tom G. Christensen
|
|
|
|
commit f7f3116abf2a6e2f309ab096b08c58d19613e5d0
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Feb 27 15:52:49 2015 -0800
|
|
|
|
twiddle test for portability
|
|
|
|
commit 1ad3a77cc9d5568f5437ff99d377aa7a41859b83
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Feb 26 20:33:22 2015 -0800
|
|
|
|
make regress/netcat.c fd passing (more) portable
|
|
|
|
commit 9e1cfca7e1fe9cf8edb634fc894e43993e4da1ea
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Feb 26 20:32:58 2015 -0800
|
|
|
|
create OBJ/valgrind-out before running unittests
|
|
|
|
commit bd58853102cee739f0e115e6d4b5334332ab1442
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Feb 25 16:58:22 2015 -0800
|
|
|
|
valgrind support
|
|
|
|
commit f43d17269194761eded9e89f17456332f4c83824
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Feb 26 20:45:47 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't printf NULL key comments; reported by Tom Christensen
|
|
|
|
commit 6e6458b476ec854db33e3e68ebf4f489d0ab3df8
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Feb 25 23:05:47 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
zero cmsgbuf before use; we initialise the bits we use
|
|
but valgrind still spams warning on it
|
|
|
|
commit a63cfa26864b93ab6afefad0b630e5358ed8edfa
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Feb 25 19:54:02 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix small memory leak when UpdateHostkeys=no
|
|
|
|
commit e6b950341dd75baa8526f1862bca39e52f5b879b
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Wed Feb 25 09:56:48 2015 -0800
|
|
|
|
Revert "Work around finicky USL linker so netcat will build."
|
|
|
|
This reverts commit d1db656021d0cd8c001a6692f772f1de29b67c8b.
|
|
|
|
No longer needed with commit 678e473e2af2e4802f24dd913985864d9ead7fb3
|
|
|
|
commit 6f621603f9cff2a5d6016a404c96cb2f8ac2dec0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Feb 25 17:29:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't leak validity of user in "too many authentication
|
|
failures" disconnect message; reported by Sebastian Reitenbach
|
|
|
|
commit 6288e3a935494df12519164f52ca5c8c65fc3ca5
|
|
Author: naddy@openbsd.org <naddy@openbsd.org>
|
|
Date: Tue Feb 24 15:24:05 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add -v (show ASCII art) to -l's synopsis; ok djm@
|
|
|
|
commit 678e473e2af2e4802f24dd913985864d9ead7fb3
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Thu Feb 26 04:12:58 2015 +1100
|
|
|
|
Remove dependency on xmalloc.
|
|
|
|
Remove ssh_get_progname's dependency on xmalloc, which should reduce
|
|
link order problems. ok djm@
|
|
|
|
commit 5d5ec165c5b614b03678afdad881f10e25832e46
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Feb 25 15:32:49 2015 +1100
|
|
|
|
Restrict ECDSA and ECDH tests.
|
|
|
|
ifdef out some more ECDSA and ECDH tests when built against an OpenSSL
|
|
that does not have eliptic curve functionality.
|
|
|
|
commit 1734e276d99b17e92d4233fac7aef3a3180aaca7
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Feb 25 13:40:45 2015 +1100
|
|
|
|
Move definition of _NSIG.
|
|
|
|
_NSIG is only unsed in one file, so move it there prevent redefinition
|
|
warnings reported by Kevin Brott.
|
|
|
|
commit a47ead7c95cfbeb72721066c4da2312e5b1b9f3d
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Wed Feb 25 13:17:40 2015 +1100
|
|
|
|
Add includes.h for compatibility stuff.
|
|
|
|
commit 38806bda6d2e48ad32812b461eebe17672ada771
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 24 16:50:06 2015 -0800
|
|
|
|
include netdb.h to look for MAXHOSTNAMELEN; ok tim
|
|
|
|
commit d1db656021d0cd8c001a6692f772f1de29b67c8b
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Tue Feb 24 10:42:08 2015 -0800
|
|
|
|
Work around finicky USL linker so netcat will build.
|
|
|
|
commit cb030ce25f555737e8ba97bdd7883ac43f3ff2a3
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 24 09:23:04 2015 -0800
|
|
|
|
include includes.h to avoid build failure on AIX
|
|
|
|
commit 13af342458f5064144abbb07e5ac9bbd4eb42567
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Tue Feb 24 07:56:47 2015 -0800
|
|
|
|
Original portability patch from djm@ for platforms missing err.h.
|
|
Fix name space clash on Solaris 10. Still more to do for Solaris 10
|
|
to deal with msghdr structure differences. ok djm@
|
|
|
|
commit 910209203d0cd60c5083901cbcc0b7b44d9f48d2
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Mon Feb 23 22:06:56 2015 -0800
|
|
|
|
cleaner way fix dispatch.h portion of commit
|
|
a88dd1da119052870bb2654c1a32c51971eade16
|
|
(some systems have sig_atomic_t in signal.h, some in sys/signal.h)
|
|
Sounds good to me djm@
|
|
|
|
commit 676c38d7cbe65b76bbfff796861bb6615cc6a596
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Mon Feb 23 21:51:33 2015 -0800
|
|
|
|
portability fix: if we can't dind a better define for HOST_NAME_MAX, use 255
|
|
|
|
commit 1221b22023dce38cbc90ba77eae4c5d78c77a5e6
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Mon Feb 23 21:50:34 2015 -0800
|
|
|
|
portablity fix: s/__inline__/inline/
|
|
|
|
commit 4c356308a88d309c796325bb75dce90ca16591d5
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Feb 24 13:49:31 2015 +1100
|
|
|
|
Wrap stdint.h includes in HAVE_STDINT_H.
|
|
|
|
commit c9c88355c6a27a908e7d1e5003a2b35ea99c1614
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Feb 24 13:43:57 2015 +1100
|
|
|
|
Add AI_NUMERICSERV to fake-rfc2553.
|
|
|
|
Our getaddrinfo implementation always returns numeric values already.
|
|
|
|
commit ef342ab1ce6fb9a4b30186c89c309d0ae9d0eeb4
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Feb 24 13:39:57 2015 +1100
|
|
|
|
Include OpenSSL's objects.h before bn.h.
|
|
|
|
Prevents compile errors on some platforms (at least old GCCs and AIX's
|
|
XLC compilers).
|
|
|
|
commit dcc8997d116f615195aa7c9ec019fb36c28c6228
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Tue Feb 24 12:30:59 2015 +1100
|
|
|
|
Convert two macros into functions.
|
|
|
|
Convert packet_send_debug and packet_disconnect from macros to
|
|
functions. Some older GCCs (2.7.x, 2.95.x) see to have problems with
|
|
variadic macros with only one argument so we convert these two into
|
|
functions. ok djm@
|
|
|
|
commit 2285c30d51b7e2052c6526445abe7e7cc7e170a1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 23 22:21:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
further silence spurious error message even when -v is
|
|
specified (e.g. to get visual host keys); reported by naddy@
|
|
|
|
commit 9af21979c00652029e160295e988dea40758ece2
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 24 09:04:32 2015 +1100
|
|
|
|
don't include stdint.h unless HAVE_STDINT_H set
|
|
|
|
commit 62f678dd51660d6f8aee1da33d3222c5de10a89e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 24 09:02:54 2015 +1100
|
|
|
|
nother sys/queue.h -> sys-queue.h fix
|
|
|
|
spotted by Tom Christensen
|
|
|
|
commit b3c19151cba2c0ed01b27f55de0d723ad07ca98f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 23 20:32:15 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix a race condition by using a mux socket rather than an
|
|
ineffectual wait statement
|
|
|
|
commit a88dd1da119052870bb2654c1a32c51971eade16
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Feb 24 06:30:29 2015 +1100
|
|
|
|
various include fixes for portable
|
|
|
|
commit 5248429b5ec524d0a65507cff0cdd6e0cb99effd
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 23 16:55:51 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add an XXX to remind me to improve sshkey_load_public
|
|
|
|
commit e94e4b07ef2eaead38b085a60535df9981cdbcdb
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 23 16:55:31 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
silence a spurious error message when listing
|
|
fingerprints for known_hosts; bz#2342
|
|
|
|
commit f2293a65392b54ac721f66bc0b44462e8d1d81f8
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 23 16:33:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix setting/clearing of TTY raw mode around
|
|
UpdateHostKeys=ask confirmation question; reported by Herb Goldman
|
|
|
|
commit f2004cd1adf34492eae0a44b1ef84e0e31b06088
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Feb 23 05:04:21 2015 +1100
|
|
|
|
Repair for non-ECC OpenSSL.
|
|
|
|
Ifdef out the ECC parts when building with an OpenSSL that doesn't have
|
|
it.
|
|
|
|
commit 37f9220db8d1a52c75894c3de1e5f2ae5bd71b6f
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Mon Feb 23 03:07:24 2015 +1100
|
|
|
|
Wrap stdint.h includes in ifdefs.
|
|
|
|
commit f81f1bbc5b892c8614ea740b1f92735652eb43f0
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Sat Feb 21 18:12:10 2015 -0800
|
|
|
|
out of tree build fix
|
|
|
|
commit 2e13a1e4d22f3b503c3bfc878562cc7386a1d1ae
|
|
Author: Tim Rice <tim@multitalents.net>
|
|
Date: Sat Feb 21 18:08:51 2015 -0800
|
|
|
|
mkdir kex unit test directory so testing out of tree builds works
|
|
|
|
commit 1797f49b1ba31e8700231cd6b1d512d80bb50d2c
|
|
Author: halex@openbsd.org <halex@openbsd.org>
|
|
Date: Sat Feb 21 21:46:57 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make "ssh-add -d" properly remove a corresponding
|
|
certificate, and also not whine and fail if there is none
|
|
|
|
ok djm@
|
|
|
|
commit 7faaa32da83a609059d95dbfcb0649fdb04caaf6
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Sun Feb 22 07:57:27 2015 +1100
|
|
|
|
mkdir hostkey and bitmap unit test directories
|
|
|
|
commit bd49da2ef197efac5e38f5399263a8b47990c538
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Feb 20 23:46:01 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
sort options useable under Match case-insensitively; prodded
|
|
jmc@
|
|
|
|
commit 1a779a0dd6cd8b4a1a40ea33b5415ab8408128ac
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Feb 21 20:51:02 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
correct paths to configuration files being written/updated;
|
|
they live in $OBJ not cwd; some by Roumen Petrov
|
|
|
|
commit 28ba006c1acddff992ae946d0bc0b500b531ba6b
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Feb 21 15:41:07 2015 +1100
|
|
|
|
More correct checking of HAVE_DECL_AI_NUMERICSERV.
|
|
|
|
commit e50e8c97a9cecae1f28febccaa6ca5ab3bc10f54
|
|
Author: Darren Tucker <dtucker@zip.com.au>
|
|
Date: Sat Feb 21 15:10:33 2015 +1100
|
|
|
|
Add null declaration of AI_NUMERICINFO.
|
|
|
|
Some platforms (older FreeBSD and DragonFly versions) do have
|
|
getaddrinfo() but do not have AI_NUMERICINFO. so define it to zero
|
|
in those cases.
|
|
|
|
commit 18a208d6a460d707a45916db63a571e805f5db46
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Feb 20 22:40:32 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
more options that are available under Match; bz#2353 reported
|
|
by calestyo AT scientia.net
|
|
|
|
commit 44732de06884238049f285f1455b2181baa7dc82
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Feb 20 22:17:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
UpdateHostKeys fixes:
|
|
|
|
I accidentally changed the format of the hostkeys@openssh.com messages
|
|
last week without changing the extension name, and this has been causing
|
|
connection failures for people who are running -current. First reported
|
|
by sthen@
|
|
|
|
s/hostkeys@openssh.com/hostkeys-00@openssh.com/
|
|
Change the name of the proof message too, and reorder it a little.
|
|
|
|
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY
|
|
available to read the response) so disable UpdateHostKeys if it is in
|
|
ask mode and ControlPersist is active (and document this)
|
|
|
|
commit 13a39414d25646f93e6d355521d832a03aaaffe2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Feb 17 00:14:05 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Regression: I broke logging of public key fingerprints in
|
|
1.46. Pointed out by Pontus Lundkvist
|
|
|
|
commit 773dda25e828c4c9a52f7bdce6e1e5924157beab
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Fri Jan 30 23:10:17 2015 +1100
|
|
|
|
repair --without-openssl; broken in refactor
|
|
|
|
commit e89c780886b23600de1e1c8d74aabd1ff61f43f0
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Tue Feb 17 10:04:55 2015 +1100
|
|
|
|
hook up hostkeys unittest to portable Makefiles
|
|
|
|
commit 0abf41f99aa16ff09b263bead242d6cb2dbbcf99
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 16 22:21:03 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
enable hostkeys unit tests
|
|
|
|
commit 68a5d647ccf0fb6782b2f749433a1eee5bc9044b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 16 22:20:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
check string/memory compare arguments aren't NULL
|
|
|
|
commit ef575ef20d09f20722e26b45dab80b3620469687
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 16 22:18:34 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unit tests for hostfile.c code, just hostkeys_foreach so
|
|
far
|
|
|
|
commit 8ea3365e6aa2759ccf5c76eaea62cbc8a280b0e7
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Sat Feb 14 12:43:16 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
test server rekey limit
|
|
|
|
commit ce63c4b063c39b2b22d4ada449c9e3fbde788cb3
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 16 22:30:03 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
partial backout of:
|
|
|
|
revision 1.441
|
|
date: 2015/01/31 20:30:05; author: djm; state: Exp; lines: +17 -10; commitid
|
|
: x8klYPZMJSrVlt3O;
|
|
Let sshd load public host keys even when private keys are missing.
|
|
Allows sshd to advertise additional keys for future key rotation.
|
|
Also log fingerprint of hostkeys loaded; ok markus@
|
|
|
|
hostkey updates now require access to the private key, so we can't
|
|
load public keys only. The improved log messages (fingerprints of keys
|
|
loaded) are kept.
|
|
|
|
commit 523463a3a2a9bfc6cfc5afa01bae9147f76a37cc
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 16 22:13:32 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Revise hostkeys@openssh.com hostkey learning extension.
|
|
|
|
The client will not ask the server to prove ownership of the private
|
|
halves of any hitherto-unseen hostkeys it offers to the client.
|
|
|
|
Allow UpdateHostKeys option to take an 'ask' argument to let the
|
|
user manually review keys offered.
|
|
|
|
ok markus@
|
|
|
|
commit 6c5c949782d86a6e7d58006599c7685bfcd01685
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 16 22:08:57 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Refactor hostkeys_foreach() and dependent code Deal with
|
|
IP addresses (i.e. CheckHostIP) Don't clobber known_hosts when nothing
|
|
changed ok markus@ as part of larger commit
|
|
|
|
commit 51b082ccbe633dc970df1d1f4c9c0497115fe721
|
|
Author: miod@openbsd.org <miod@openbsd.org>
|
|
Date: Mon Feb 16 18:26:26 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Declare ge25519_base as extern, to prevent it from
|
|
becoming a common. Gets us rid of ``lignment 4 of symbol
|
|
`crypto_sign_ed25519_ref_ge25519_base' in mod_ge25519.o is smaller than 16 in
|
|
mod_ed25519.o'' warnings at link time.
|
|
|
|
commit 02db468bf7e3281a8e3c058ced571b38b6407c34
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Fri Feb 13 18:57:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make rekey_limit for sshd w/privsep work; ok djm@
|
|
dtucker@
|
|
|
|
commit 8ec67d505bd23c8bf9e17b7a364b563a07a58ec8
|
|
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
|
Date: Thu Feb 12 20:34:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Prevent sshd spamming syslog with
|
|
"ssh_dispatch_run_fatal: disconnected". ok markus@
|
|
|
|
commit d4c0295d1afc342057ba358237acad6be8af480b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Feb 11 01:20:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Some packet error messages show the address of the peer,
|
|
but might be generated after the socket to the peer has suffered a TCP reset.
|
|
In these cases, getpeername() won't work so cache the address earlier.
|
|
|
|
spotted in the wild via deraadt@ and tedu@
|
|
|
|
commit 4af1709cf774475ce5d1bc3ddcc165f6c222897d
|
|
Author: jsg@openbsd.org <jsg@openbsd.org>
|
|
Date: Mon Feb 9 23:22:37 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix some leaks in error paths ok markus@
|
|
|
|
commit fd36834871d06a03e1ff8d69e41992efa1bbf85f
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Fri Feb 6 23:21:59 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
SIZE_MAX is standard, we should be using it in preference to
|
|
the obsolete SIZE_T_MAX. OK miod@ beck@
|
|
|
|
commit 1910a286d7771eab84c0b047f31c0a17505236fa
|
|
Author: millert@openbsd.org <millert@openbsd.org>
|
|
Date: Thu Feb 5 12:59:57 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Include stdint.h, not limits.h to get SIZE_MAX. OK guenther@
|
|
|
|
commit ce4f59b2405845584f45e0b3214760eb0008c06c
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Tue Feb 3 08:07:20 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
missing ; djm and mlarkin really having great
|
|
interactions recently
|
|
|
|
commit 5d34aa94938abb12b877a25be51862757f25d54b
|
|
Author: halex@openbsd.org <halex@openbsd.org>
|
|
Date: Tue Feb 3 00:34:14 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
slightly extend the passphrase prompt if running with -c
|
|
in order to give the user a chance to notice if unintentionally running
|
|
without it
|
|
|
|
wording tweak and ok djm@
|
|
|
|
commit cb3bde373e80902c7d5d0db429f85068d19b2918
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 2 22:48:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
handle PKCS#11 C_Login returning
|
|
CKR_USER_ALREADY_LOGGED_IN; based on patch from Yuri Samoilenko; ok markus@
|
|
|
|
commit 15ad750e5ec3cc69765b7eba1ce90060e7083399
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Feb 2 07:41:40 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
turn UpdateHostkeys off by default until I figure out
|
|
mlarkin@'s warning message; requested by deraadt@
|
|
|
|
commit 3cd5103c1e1aaa59bd66f7f52f6ebbcd5deb12f9
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Mon Feb 2 01:57:44 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
increasing encounters with difficult DNS setups in
|
|
darknets has convinced me UseDNS off by default is better ok djm
|
|
|
|
commit 6049a548a8a68ff0bbe581ab1748ea6a59ecdc38
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Jan 31 20:30:05 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Let sshd load public host keys even when private keys are
|
|
missing. Allows sshd to advertise additional keys for future key rotation.
|
|
Also log fingerprint of hostkeys loaded; ok markus@
|
|
|
|
commit 46347ed5968f582661e8a70a45f448e0179ca0ab
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 30 11:43:14 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Add a ssh_config HostbasedKeyType option to control which
|
|
host public key types are tried during hostbased authentication.
|
|
|
|
This may be used to prevent too many keys being sent to the server,
|
|
and blowing past its MaxAuthTries limit.
|
|
|
|
bz#2211 based on patch by Iain Morgan; ok markus@
|
|
|
|
commit 802660cb70453fa4d230cb0233bc1bbdf8328de1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 30 10:44:49 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
set a timeout to prevent hangs when talking to busted
|
|
servers; ok markus@
|
|
|
|
commit 86936ec245a15c7abe71a0722610998b0a28b194
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 30 01:11:39 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regression test for 'wildcard CA' serial/key ID revocations
|
|
|
|
commit 4509b5d4a4fa645a022635bfa7e86d09b285001f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 30 01:13:33 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
avoid more fatal/exit in the packet.c paths that
|
|
ssh-keyscan uses; feedback and "looks good" markus@
|
|
|
|
commit 669aee994348468af8b4b2ebd29b602cf2860b22
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 30 01:10:33 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
permit KRLs that revoke certificates by serial number or
|
|
key ID without scoping to a particular CA; ok markus@
|
|
|
|
commit 7a2c368477e26575d0866247d3313da4256cb2b5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 30 00:59:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
missing parentheses after if in do_convert_from() broke
|
|
private key conversion from other formats some time in 2010; bz#2345 reported
|
|
by jjelen AT redhat.com
|
|
|
|
commit 25f5f78d8bf5c22d9cea8b49de24ebeee648a355
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 30 00:22:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix ssh protocol 1, spotted by miod@
|
|
|
|
commit 9ce86c926dfa6e0635161b035e3944e611cbccf0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 28 22:36:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
update to new API (key_fingerprint => sshkey_fingerprint)
|
|
check sshkey_fingerprint return values; ok markus
|
|
|
|
commit 9125525c37bf73ad3ee4025520889d2ce9d10f29
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 28 22:05:31 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
avoid fatal() calls in packet code makes ssh-keyscan more
|
|
reliable against server failures ok dtucker@ markus@
|
|
|
|
commit fae7bbe544cba7a9e5e4ab47ff6faa3d978646eb
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 28 21:15:47 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
avoid fatal() calls in packet code makes ssh-keyscan more
|
|
reliable against server failures ok dtucker@ markus@
|
|
|
|
commit 1a3d14f6b44a494037c7deab485abe6496bf2c60
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 28 11:07:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
remove obsolete comment
|
|
|
|
commit 80c25b7bc0a71d75c43a4575d9a1336f589eb639
|
|
Author: okan@openbsd.org <okan@openbsd.org>
|
|
Date: Tue Jan 27 12:54:06 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Since r1.2 removed the use of PRI* macros, inttypes.h is
|
|
no longer required.
|
|
|
|
ok djm@
|
|
|
|
commit 69ff64f69615c2a21c97cb5878a0996c21423257
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jan 27 23:07:43 2015 +1100
|
|
|
|
compile on systems without TCP_MD5SIG (e.g. OSX)
|
|
|
|
commit 358964f3082fb90b2ae15bcab07b6105cfad5a43
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jan 27 23:07:25 2015 +1100
|
|
|
|
use ssh-keygen under test rather than system's
|
|
|
|
commit a2c95c1bf33ea53038324d1fdd774bc953f98236
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jan 27 23:06:59 2015 +1100
|
|
|
|
OSX lacks HOST_NAME_MAX, has _POSIX_HOST_NAME_MAX
|
|
|
|
commit ade31d7b6f608a19b85bee29a7a00b1e636a2919
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jan 27 23:06:23 2015 +1100
|
|
|
|
these need active_state defined to link on OSX
|
|
|
|
temporary measure until active_state goes away entirely
|
|
|
|
commit e56aa87502f22c5844918c10190e8b4f785f067b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 27 12:01:36 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
use printf instead of echo -n to reduce diff against
|
|
-portable
|
|
|
|
commit 9f7637f56eddfaf62ce3c0af89c25480f2cf1068
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Mon Jan 26 13:55:29 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
sort previous;
|
|
|
|
commit 3076ee7d530d5b16842fac7a6229706c7e5acd26
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 26 13:36:53 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
properly restore umask
|
|
|
|
commit d411d395556b73ba1b9e451516a0bd6697c4b03d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 26 06:12:18 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regression test for host key rotation
|
|
|
|
commit fe8a3a51699afbc6407a8fae59b73349d01e49f8
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 26 06:11:28 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adapt to sshkey API tweaks
|
|
|
|
commit 7dd355fb1f0038a3d5cdca57ebab4356c7a5b434
|
|
Author: miod@openbsd.org <miod@openbsd.org>
|
|
Date: Sat Jan 24 10:39:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Move -lz late in the linker commandline for things to
|
|
build on static arches.
|
|
|
|
commit 0dad3b806fddb93c475b30853b9be1a25d673a33
|
|
Author: miod@openbsd.org <miod@openbsd.org>
|
|
Date: Fri Jan 23 21:21:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
-Wpointer-sign is supported by gcc 4 only.
|
|
|
|
commit 2b3b1c1e4bd9577b6e780c255c278542ea66c098
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 20 22:58:57 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
use SUBDIR to recuse into unit tests; makes "make obj"
|
|
actually work
|
|
|
|
commit 1d1092bff8db27080155541212b420703f8b9c92
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 26 12:16:36 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
correct description of UpdateHostKeys in ssh_config.5 and
|
|
add it to -o lists for ssh, scp and sftp; pointed out by jmc@
|
|
|
|
commit 5104db7cbd6cdd9c5971f4358e74414862fc1022
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 26 06:10:03 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
correctly match ECDSA subtype (== curve) for
|
|
offered/recevied host keys. Fixes connection-killing host key mismatches when
|
|
a server offers multiple ECDSA keys with different curve type (an extremely
|
|
unlikely configuration).
|
|
|
|
ok markus, "looks mechanical" deraadt@
|
|
|
|
commit 8d4f87258f31cb6def9b3b55b6a7321d84728ff2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 26 03:04:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Host key rotation support.
|
|
|
|
Add a hostkeys@openssh.com protocol extension (global request) for
|
|
a server to inform a client of all its available host key after
|
|
authentication has completed. The client may record the keys in
|
|
known_hosts, allowing it to upgrade to better host key algorithms
|
|
and a server to gracefully rotate its keys.
|
|
|
|
The client side of this is controlled by a UpdateHostkeys config
|
|
option (default on).
|
|
|
|
ok markus@
|
|
|
|
commit 60b1825262b1f1e24fc72050b907189c92daf18e
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 26 02:59:11 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
small refactor and add some convenience functions; ok
|
|
markus
|
|
|
|
commit a5a3e3328ddce91e76f71ff479022d53e35c60c9
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Thu Jan 22 21:00:42 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
heirarchy -> hierarchy;
|
|
|
|
commit dcff5810a11195c57e1b3343c0d6b6f2b9974c11
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Thu Jan 22 20:24:41 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Provide a warning about chroot misuses (which sadly, seem
|
|
to have become quite popular because shiny). sshd cannot detect/manage/do
|
|
anything about these cases, best we can do is warn in the right spot in the
|
|
man page. ok markus
|
|
|
|
commit 087266ec33c76fc8d54ac5a19efacf2f4a4ca076
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Tue Jan 20 23:14:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Reduce use of <sys/param.h> and transition to <limits.h>
|
|
throughout. ok djm markus
|
|
|
|
commit 57e783c8ba2c0797f93977e83b2a8644a03065d8
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Jan 20 20:16:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
kex_setup errors are fatal()
|
|
|
|
commit 1d6424a6ff94633c221297ae8f42d54e12a20912
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 20 08:02:33 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
this test would accidentally delete agent.sh if run without
|
|
obj/
|
|
|
|
commit 12b5f50777203e12575f1b08568281e447249ed3
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 20 07:56:44 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make this compile with KERBEROS5 enabled
|
|
|
|
commit e2cc6bef08941256817d44d146115b3478586ad4
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 20 07:55:33 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix hostkeys in agent; ok markus@
|
|
|
|
commit 1ca3e2155aa5d3801a7ae050f85c71f41fcb95b1
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jan 20 10:11:31 2015 +1100
|
|
|
|
fix kex test
|
|
|
|
commit c78a578107c7e6dcf5d30a2f34cb6581bef14029
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 19 20:45:25 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
finally enable the KEX tests I wrote some years ago...
|
|
|
|
commit 31821d7217e686667d04935aeec99e1fc4a46e7e
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 19 20:42:31 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adapt to new error message (SSH_ERR_MAC_INVALID)
|
|
|
|
commit d3716ca19e510e95d956ae14d5b367e364bff7f1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 19 17:31:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
this test was broken in at least two ways, such that it
|
|
wasn't checking that a KRL was not excluding valid keys
|
|
|
|
commit 3f797653748e7c2b037dacb57574c01d9ef3b4d3
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 19 20:32:39 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
switch ssh-keyscan from setjmp to multiple ssh transport
|
|
layer instances ok djm@
|
|
|
|
commit f582f0e917bb0017b00944783cd5f408bf4b0b5e
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 19 20:30:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add experimental api for packet layer; ok djm@
|
|
|
|
commit 48b3b2ba75181f11fca7f327058a591f4426cade
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 19 20:20:20 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
store compat flags in struct ssh; ok djm@
|
|
|
|
commit 57d10cbe861a235dd269c74fb2fe248469ecee9d
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 19 20:16:15 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adapt kex to sshbuf and struct ssh; ok djm@
|
|
|
|
commit 3fdc88a0def4f86aa88a5846ac079dc964c0546a
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 19 20:07:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
move dispatch to struct ssh; ok djm@
|
|
|
|
commit 091c302829210c41e7f57c3f094c7b9c054306f0
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 19 19:52:16 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
update packet.c & isolate, introduce struct ssh a) switch
|
|
packet.c to buffer api and isolate per-connection info into struct ssh b)
|
|
(de)serialization of the state is moved from monitor to packet.c c) the old
|
|
packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and
|
|
integrated into packet.c with and ok djm@
|
|
|
|
commit 4e62cc68ce4ba20245d208b252e74e91d3785b74
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 19 17:35:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix format strings in (disabled) debugging
|
|
|
|
commit d85e06245907d49a2cd0cfa0abf59150ad616f42
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 19 06:01:32 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
be a bit more careful in these tests to ensure that
|
|
known_hosts is clean
|
|
|
|
commit 7947810eab5fe0ad311f32a48f4d4eb1f71be6cf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 22:00:18 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regression test for known_host file editing using
|
|
ssh-keygen (-H / -R / -F) after hostkeys_foreach() change; feedback and ok
|
|
markus@
|
|
|
|
commit 3a2b09d147a565d8a47edf37491e149a02c0d3a3
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 19:54:46 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
more and better key tests
|
|
|
|
test signatures and verification
|
|
test certificate generation
|
|
flesh out nested cert test
|
|
|
|
removes most of the XXX todo markers
|
|
|
|
commit 589e69fd82724cfc9738f128e4771da2e6405d0d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 19:53:58 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make the signature fuzzing test much more rigorous:
|
|
ensure that the fuzzed input cases do not match the original (using new
|
|
fuzz_matches_original() function) and check that the verification fails in
|
|
each case
|
|
|
|
commit 80603c0daa2538c349c1c152405580b164d5475f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 19:52:44 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add a fuzz_matches_original() function to the fuzzer to
|
|
detect fuzz cases that are identical to the original data. Hacky
|
|
implementation, but very useful when you need the fuzz to be different, e.g.
|
|
when verifying signature
|
|
|
|
commit 87d5495bd337e358ad69c524fcb9495208c0750b
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 19:50:55 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
better dumps from the fuzzer (shown on errors) -
|
|
include the original data as well as the fuzzed copy.
|
|
|
|
commit d59ec478c453a3fff05badbbfd96aa856364f2c2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 19:47:55 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
enable hostkey-agent.sh test
|
|
|
|
commit 26b3425170bf840e4b095e1c10bf25a0a3e3a105
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Jan 17 18:54:30 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unit test for hostkeys in ssh-agent
|
|
|
|
commit 9e06a0fb23ec55d9223b26a45bb63c7649e2f2f2
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Thu Jan 15 23:41:29 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add kex unit tests
|
|
|
|
commit d2099dec6da21ae627f6289aedae6bc1d41a22ce
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Mon Jan 19 00:32:54 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
djm, your /usr/include tree is old
|
|
|
|
commit 2b3c3c76c30dc5076fe09d590f5b26880f148a54
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 21:51:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
some feedback from markus@: comment hostkeys_foreach()
|
|
context and avoid a member in it.
|
|
|
|
commit cecb30bc2ba6d594366e657d664d5c494b6c8a7f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 21:49:42 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make ssh-keygen use hostkeys_foreach(). Removes some
|
|
horrendous code; ok markus@
|
|
|
|
commit ec3d065df3a9557ea96b02d061fd821a18c1a0b9
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 21:48:09 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
convert load_hostkeys() (hostkey ordering and
|
|
known_host matching) to use the new hostkey_foreach() iterator; ok markus
|
|
|
|
commit c29811cc480a260e42fd88849fc86a80c1e91038
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 21:40:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
introduce hostkeys_foreach() to allow iteration over a
|
|
known_hosts file or controlled subset thereof. This will allow us to pull out
|
|
some ugly and duplicated code, and will be used to implement hostkey rotation
|
|
later.
|
|
|
|
feedback and ok markus
|
|
|
|
commit f101d8291da01bbbfd6fb8c569cfd0cc61c0d346
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Sun Jan 18 14:01:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
string truncation due to sizeof(size) ok djm markus
|
|
|
|
commit 35d6022b55b7969fc10c261cb6aa78cc4a5fcc41
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 13:33:34 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
avoid trailing ',' in host key algorithms
|
|
|
|
commit 7efb455789a0cb76bdcdee91c6060a3dc8f5c007
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Jan 18 13:22:28 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
infer key length correctly when user specified a fully-
|
|
qualified key name instead of using the -b bits option; ok markus@
|
|
|
|
commit 83f8ffa6a55ccd0ce9d8a205e3e7439ec18fedf5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sat Jan 17 18:53:34 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix hostkeys on ssh agent; found by unit test I'm about
|
|
to commit
|
|
|
|
commit 369d61f17657b814124268f99c033e4dc6e436c1
|
|
Author: schwarze@openbsd.org <schwarze@openbsd.org>
|
|
Date: Fri Jan 16 16:20:23 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
garbage collect empty .No macros mandoc warns about
|
|
|
|
commit bb8b442d32dbdb8521d610e10d8b248d938bd747
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 16 15:55:07 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regression: incorrect error message on
|
|
otherwise-successful ssh-keygen -A. Reported by Dmitry Orlov, via deraadt@
|
|
|
|
commit 9010902954a40b59d0bf3df3ccbc3140a653e2bc
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Fri Jan 16 07:19:48 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
when hostname canonicalisation is enabled, try to parse
|
|
hostnames as addresses before looking them up for canonicalisation. fixes
|
|
bz#2074 and avoids needless DNS lookups in some cases; ok markus
|
|
|
|
commit 2ae4f337b2a5fb2841b6b0053b49496fef844d1c
|
|
Author: deraadt@openbsd.org <deraadt@openbsd.org>
|
|
Date: Fri Jan 16 06:40:12 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
Replace <sys/param.h> with <limits.h> and other less
|
|
dirty headers where possible. Annotate <sys/param.h> lines with their
|
|
current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1,
|
|
LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of
|
|
MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution.
|
|
These are the files confirmed through binary verification. ok guenther,
|
|
millert, doug (helped with the verification protocol)
|
|
|
|
commit 3c4726f4c24118e8f1bb80bf75f1456c76df072c
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Thu Jan 15 21:38:50 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
remove xmalloc, switch to sshbuf
|
|
|
|
commit e17ac01f8b763e4b83976b9e521e90a280acc097
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Thu Jan 15 21:37:14 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
switch to sshbuf
|
|
|
|
commit ddef9995a1fa6c7a8ff3b38bfe6cf724bebf13d0
|
|
Author: naddy@openbsd.org <naddy@openbsd.org>
|
|
Date: Thu Jan 15 18:32:54 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
handle UMAC128 initialization like UMAC; ok djm@ markus@
|
|
|
|
commit f14564c1f7792446bca143580aef0e7ac25dcdae
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jan 15 11:04:36 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix regression reported by brad@ for passworded keys without
|
|
agent present
|
|
|
|
commit 45c0fd70bb2a88061319dfff20cb12ef7b1bc47e
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 22:08:23 2015 +1100
|
|
|
|
make bitmap test compile
|
|
|
|
commit d333f89abf7179021e5c3f28673f469abe032062
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jan 15 07:36:28 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unit tests for KRL bitmap
|
|
|
|
commit 7613f828f49c55ff356007ae9645038ab6682556
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jan 14 09:58:21 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
re-add comment about full path
|
|
|
|
commit 6c43b48b307c41cd656b415621a644074579a578
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jan 14 09:54:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
don't reset to the installed sshd; connect before
|
|
reconfigure, too
|
|
|
|
commit 771bb47a1df8b69061f09462e78aa0b66cd594bf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 13 14:51:51 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
implement a SIGINFO handler so we can discern a stuck
|
|
fuzz test from a merely glacial one; prompted by and ok markus
|
|
|
|
commit cfaa57962f8536f3cf0fd7daf4d6a55d6f6de45f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 13 08:23:26 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
use $SSH instead of installed ssh to allow override;
|
|
spotted by markus@
|
|
|
|
commit 0920553d0aee117a596b03ed5b49b280d34a32c5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 13 07:49:49 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
regress test for PubkeyAcceptedKeyTypes; ok markus@
|
|
|
|
commit 27ca1a5c0095eda151934bca39a77e391f875d17
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 12 20:13:27 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unbreak parsing of pubkey comments; with gerhard; ok
|
|
djm/deraadt
|
|
|
|
commit 55358f0b4e0b83bc0df81c5f854c91b11e0bb4dc
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 12 11:46:32 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fatal if soft-PKCS11 library is missing rather (rather
|
|
than continue and fail with a more cryptic error)
|
|
|
|
commit c3554cdd2a1a62434b8161017aa76fa09718a003
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 12 11:12:38 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
let this test all supporte key types; pointed out/ok
|
|
markus@
|
|
|
|
commit 1129dcfc5a3e508635004bcc05a3574cb7687167
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jan 15 09:40:00 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
sync ssh-keysign, ssh-keygen and some dependencies to the
|
|
new buffer/key API; mostly mechanical, ok markus@
|
|
|
|
commit e4ebf5586452bf512da662ac277aaf6ecf0efe7c
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jan 15 07:57:08 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
remove commented-out test code now that it has moved to a
|
|
proper unit test
|
|
|
|
commit e81cba066c1e9eb70aba0f6e7c0ff220611b370f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 14 20:54:29 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
whitespace
|
|
|
|
commit 141efe49542f7156cdbc2e4cd0a041d8b1aab622
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 14 20:05:27 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
move authfd.c and its tentacles to the new buffer/key
|
|
API; ok markus@
|
|
|
|
commit 0088c57af302cda278bd26d8c3ae81d5b6f7c289
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 14 19:33:41 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix small regression: ssh-agent would return a success
|
|
message but an empty signature if asked to sign using an unknown key; ok
|
|
markus@
|
|
|
|
commit b03ebe2c22b8166e4f64c37737f4278676e3488d
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 03:08:58 2015 +1100
|
|
|
|
more --without-openssl
|
|
|
|
fix some regressions caused by upstream merges
|
|
|
|
enable KRLs now that they no longer require BIGNUMs
|
|
|
|
commit bc42cc6fe784f36df225c44c93b74830027cb5a2
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 03:08:29 2015 +1100
|
|
|
|
kludge around tun API mismatch betterer
|
|
|
|
commit c332110291089b624fa0951fbf2d1ee6de525b9f
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 02:59:51 2015 +1100
|
|
|
|
some systems lack SO_REUSEPORT
|
|
|
|
commit 83b9678a62cbdc74eb2031cf1e1e4ffd58e233ae
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 02:35:50 2015 +1100
|
|
|
|
fix merge botch
|
|
|
|
commit 0cdc5a3eb6fb383569a4da2a30705d9b90428d6b
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 02:35:33 2015 +1100
|
|
|
|
unbreak across API change
|
|
|
|
commit 6e2549ac2b5e7f96cbc2d83a6e0784b120444b47
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 02:30:18 2015 +1100
|
|
|
|
need includes.h for portable OpenSSH
|
|
|
|
commit 72ef7c148c42db7d5632a29f137f8b87b579f2d9
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 02:21:31 2015 +1100
|
|
|
|
support --without-openssl at configure time
|
|
|
|
Disables and removes dependency on OpenSSL. Many features don't
|
|
work and the set of crypto options is greatly restricted. This
|
|
will only work on system with native arc4random or /dev/urandom.
|
|
|
|
Considered highly experimental for now.
|
|
|
|
commit 4f38c61c68ae7e3f9ee4b3c38bc86cd39f65ece9
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Thu Jan 15 02:28:00 2015 +1100
|
|
|
|
add files missed in last commit
|
|
|
|
commit a165bab605f7be55940bb8fae977398e8c96a46d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 14 15:02:39 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
avoid BIGNUM in KRL code by using a simple bitmap;
|
|
feedback and ok markus
|
|
|
|
commit 7d845f4a0b7ec97887be204c3760e44de8bf1f32
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 14 13:54:13 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
update sftp client and server to new buffer API. pretty
|
|
much just mechanical changes; with & ok markus
|
|
|
|
commit 139ca81866ec1b219c717d17061e5e7ad1059e2a
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jan 14 13:09:09 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
switch to sshbuf/sshkey; with & ok djm@
|
|
|
|
commit 81bfbd0bd35683de5d7f2238b985e5f8150a9180
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Wed Jan 14 21:48:18 2015 +1100
|
|
|
|
support --without-openssl at configure time
|
|
|
|
Disables and removes dependency on OpenSSL. Many features don't
|
|
work and the set of crypto options is greatly restricted. This
|
|
will only work on system with native arc4random or /dev/urandom.
|
|
|
|
Considered highly experimental for now.
|
|
|
|
commit 54924b53af15ccdcbb9f89984512b5efef641a31
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 14 10:46:28 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
avoid an warning for the !OPENSSL case
|
|
|
|
commit ae8b463217f7c9b66655bfc3945c050ffdaeb861
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jan 14 10:30:34 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
swith auth-options to new sshbuf/sshkey; ok djm@
|
|
|
|
commit 540e891191b98b89ee90aacf5b14a4a68635e763
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Wed Jan 14 10:29:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
make non-OpenSSL aes-ctr work on sshd w/ privsep; ok
|
|
markus@
|
|
|
|
commit 60c2c4ea5e1ad0ddfe8b2877b78ed5143be79c53
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Wed Jan 14 10:24:42 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
remove unneeded includes, sync my copyright across files
|
|
& whitespace; ok djm@
|
|
|
|
commit 128343bcdb0b60fc826f2733df8cf979ec1627b4
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Tue Jan 13 19:31:40 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adapt mac.c to ssherr.h return codes (de-fatal) and
|
|
simplify dependencies ok djm@
|
|
|
|
commit e7fd952f4ea01f09ceb068721a5431ac2fd416ed
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 13 19:04:35 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
sync changes from libopenssh; prepared by markus@ mostly
|
|
debug output tweaks, a couple of error return value changes and some other
|
|
minor stuff
|
|
|
|
commit 76c0480a85675f03a1376167cb686abed01a3583
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Tue Jan 13 19:38:18 2015 +1100
|
|
|
|
add --without-ssh1 option to configure
|
|
|
|
Allows disabling support for SSH protocol 1.
|
|
|
|
commit 1f729f0614d1376c3332fa1edb6a5e5cec7e9e03
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Jan 13 07:39:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
add sshd_config HostbasedAcceptedKeyTypes and
|
|
PubkeyAcceptedKeyTypes options to allow sshd to control what public key types
|
|
will be accepted. Currently defaults to all. Feedback & ok markus@
|
|
|
|
commit 816d1538c24209a93ba0560b27c4fda57c3fff65
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 12 20:13:27 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
unbreak parsing of pubkey comments; with gerhard; ok
|
|
djm/deraadt
|
|
|
|
commit 0097565f849851812df610b7b6b3c4bd414f6c62
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 12 19:22:46 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
missing error assigment on sshbuf_put_string()
|
|
|
|
commit a7f49dcb527dd17877fcb8d5c3a9a6f550e0bba5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Jan 12 15:18:07 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
apparently memcpy(x, NULL, 0) is undefined behaviour
|
|
according to C99 (cf. sections 7.21.1 and 7.1.4), so check skip memcpy calls
|
|
when length==0; ok markus@
|
|
|
|
commit 905fe30fca82f38213763616d0d26eb6790bde33
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 12 14:05:19 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
free->sshkey_free; ok djm@
|
|
|
|
commit f067cca2bc20c86b110174c3fef04086a7f57b13
|
|
Author: markus@openbsd.org <markus@openbsd.org>
|
|
Date: Mon Jan 12 13:29:27 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
allow WITH_OPENSSL w/o WITH_SSH1; ok djm@
|
|
|
|
commit c4bfafcc2a9300d9cfb3c15e75572d3a7d74670d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jan 8 13:10:58 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
adjust for sshkey_load_file() API change
|
|
|
|
commit e752c6d547036c602b89e9e704851463bd160e32
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jan 8 13:44:36 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
fix ssh_config FingerprintHash evaluation order; from Petr
|
|
Lautrbach
|
|
|
|
commit ab24ab847b0fc94c8d5e419feecff0bcb6d6d1bf
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jan 8 10:15:45 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
reorder hostbased key attempts to better match the
|
|
default hostkey algorithms order in myproposal.h; ok markus@
|
|
|
|
commit 1195f4cb07ef4b0405c839293c38600b3e9bdb46
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Jan 8 10:14:08 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
deprecate key_load_private_pem() and
|
|
sshkey_load_private_pem() interfaces. Refactor the generic key loading API to
|
|
not require pathnames to be specified (they weren't really used).
|
|
|
|
Fixes a few other things en passant:
|
|
|
|
Makes ed25519 keys work for hostbased authentication (ssh-keysign
|
|
previously used the PEM-only routines).
|
|
|
|
Fixes key comment regression bz#2306: key pathnames were being lost as
|
|
comment fields.
|
|
|
|
ok markus@
|
|
|
|
commit febbe09e4e9aff579b0c5cc1623f756862e4757d
|
|
Author: tedu@openbsd.org <tedu@openbsd.org>
|
|
Date: Wed Jan 7 18:15:07 2015 +0000
|
|
|
|
upstream commit
|
|
|
|
workaround for the Meyer, et al, Bleichenbacher Side
|
|
Channel Attack. fake up a bignum key before RSA decryption. discussed/ok djm
|
|
markus
|
|
|
|
commit 5191df927db282d3123ca2f34a04d8d96153911a
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Tue Dec 23 22:42:48 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
KNF and add a little more debug()
|
|
|
|
commit 8abd80315d3419b20e6938f74d37e2e2b547f0b7
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Mon Dec 22 09:26:31 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
add fingerprinthash to the options list;
|
|
|
|
commit 296ef0560f60980da01d83b9f0e1a5257826536f
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Mon Dec 22 09:24:59 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
tweak previous;
|
|
|
|
commit 462082eacbd37778a173afb6b84c6f4d898a18b5
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Tue Dec 30 08:16:11 2014 +1100
|
|
|
|
avoid uninitialised free of ldns_res
|
|
|
|
If an invalid rdclass was passed to getrrsetbyname() then
|
|
this would execute a free on an uninitialised pointer.
|
|
OpenSSH only ever calls this with a fixed and valid rdclass.
|
|
|
|
Reported by Joshua Rogers
|
|
|
|
commit 01b63498801053f131a0740eb9d13faf35d636c8
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Mon Dec 29 18:10:18 2014 +1100
|
|
|
|
pull updated OpenBSD BCrypt PBKDF implementation
|
|
|
|
Includes fix for 1 byte output overflow for large key length
|
|
requests (not reachable in OpenSSH).
|
|
|
|
Pointed out by Joshua Rogers
|
|
|
|
commit c528c1b4af2f06712177b3de9b30705752f7cbcb
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Tue Dec 23 15:26:13 2014 +1100
|
|
|
|
fix variable name for IPv6 case in construct_utmpx
|
|
|
|
patch from writeonce AT midipix.org via bz#2296
|
|
|
|
commit 293cac52dcda123244b2e594d15592e5e481c55e
|
|
Author: Damien Miller <djm@google.com>
|
|
Date: Mon Dec 22 16:30:42 2014 +1100
|
|
|
|
include and use OpenBSD netcat in regress/
|
|
|
|
commit 8f6784f0cb56dc4fd00af3e81a10050a5785228d
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 09:05:17 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
mention ssh -Q feature to list supported { MAC, cipher,
|
|
KEX, key } algorithms in more places and include the query string used to
|
|
list the relevant information; bz#2288
|
|
|
|
commit 449e11b4d7847079bd0a2daa6e3e7ea03d8ef700
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Mon Dec 22 08:24:17 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
tweak previous;
|
|
|
|
commit 4bea0ab3290c0b9dd2aa199e932de8e7e18062d6
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 08:06:03 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
regression test for multiple required pubkey authentication;
|
|
ok markus@
|
|
|
|
commit f1c4d8ec52158b6f57834b8cd839605b0a33e7f2
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 08:04:23 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
correct description of what will happen when a
|
|
AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser is not (sshd
|
|
will refuse to start)
|
|
|
|
commit 161cf419f412446635013ac49e8c660cadc36080
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 07:55:51 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
make internal handling of filename arguments of "none"
|
|
more consistent with ssh. "none" arguments are now replaced with NULL when
|
|
the configuration is finalised.
|
|
|
|
Simplifies checking later on (just need to test not-NULL rather than
|
|
that + strcmp) and cleans up some inconsistencies. ok markus@
|
|
|
|
commit f69b69b8625be447b8826b21d87713874dac25a6
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 07:51:30 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
remember which public keys have been used for
|
|
authentication and refuse to accept previously-used keys.
|
|
|
|
This allows AuthenticationMethods=publickey,publickey to require
|
|
that users authenticate using two _different_ pubkeys.
|
|
|
|
ok markus@
|
|
|
|
commit 46ac2ed4677968224c4ca825bc98fc68dae183f0
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 07:24:11 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
fix passing of wildcard forward bind addresses when
|
|
connection multiplexing is in use; patch from Sami Hartikainen via bz#2324;
|
|
ok dtucker@
|
|
|
|
commit 0d1b241a262e4d0a6bbfdd595489ab1b853c43a1
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 06:14:29 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
make this slightly easier to diff against portable
|
|
|
|
commit 0715bcdddbf68953964058f17255bf54734b8737
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Dec 22 13:47:07 2014 +1100
|
|
|
|
add missing regress output file
|
|
|
|
commit 1e30483c8ad2c2f39445d4a4b6ab20c241e40593
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 02:15:52 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
adjust for new SHA256 key fingerprints and
|
|
slightly-different MD5 hex fingerprint format
|
|
|
|
commit 6b40567ed722df98593ad8e6a2d2448fc2b4b151
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Mon Dec 22 01:14:49 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
poll changes to netcat (usr.bin/netcat.c r1.125) broke
|
|
this test; fix it by ensuring more stdio fds are sent to devnull
|
|
|
|
commit a5375ccb970f49dddf7d0ef63c9b713ede9e7260
|
|
Author: jmc@openbsd.org <jmc@openbsd.org>
|
|
Date: Sun Dec 21 23:35:14 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
tweak previous;
|
|
|
|
commit b79efde5c3badf5ce4312fe608d8307eade533c5
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Dec 21 23:12:42 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
document FingerprintHash here too
|
|
|
|
commit d16bdd8027dd116afa01324bb071a4016cdc1a75
|
|
Author: Damien Miller <djm@mindrot.org>
|
|
Date: Mon Dec 22 10:18:09 2014 +1100
|
|
|
|
missing include for base64 encoding
|
|
|
|
commit 56d1c83cdd1ac76f1c6bd41e01e80dad834f3994
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Sun Dec 21 22:27:55 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
Add FingerprintHash option to control algorithm used for
|
|
key fingerprints. Default changes from MD5 to SHA256 and format from hex to
|
|
base64.
|
|
|
|
Feedback and ok naddy@ markus@
|
|
|
|
commit 058f839fe15c51be8b3a844a76ab9a8db550be4f
|
|
Author: djm@openbsd.org <djm@openbsd.org>
|
|
Date: Thu Dec 18 23:58:04 2014 +0000
|
|
|
|
upstream commit
|
|
|
|
don't count partial authentication success as a failure
|
|
against MaxAuthTries; ok deraadt@
|