| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
or sftp://user@host/path. The connection parameters described in
draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the
ssh fingerprint format in the draft uses md5 with no way to specify
the hash function type. OK djm@
|
| |
|
|
| |
exit status (failure due to signal is still reported)
|
| |
|
|
|
|
|
| |
misc.c. Extend subprocess() to offer a little more control over stdio
disposition.
feedback & ok dtucker@
|
| |
|
|
| |
and just use the operating system default; ok dtucker@
|
| |
|
|
|
|
| |
are handled safely, and there also is no need for preallocation dances.
Future changes in this area will be less error prone.
Review and one bug found by markus
|
| | |
|
| |
|
|
| |
nicolas.iooss at m4x.org, ok djm@
|
| |
|
|
|
|
| |
skip the call to daemon() and do not rewrite the PidFile. This
means that when sshd re-execs itself on SIGHUP the process ID will
no longer change. Should address bz#2641. ok djm@ markus@.
|
| |
|
|
|
| |
it easier for Portable to support platforms with permissions models other than
uid==0 (eg bz#2625). ok djm@, "doesn't offend me too much" deraadt@.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
command-line flag to allow simplified indirection through a
SSH bastion or "jump host".
These options construct a proxy command that connects to the
specified jump host(s) (more than one may be specified) and uses
port-forwarding to establish a connection to the next destination.
This codifies the safest way of indirecting connections through SSH
servers and makes it easy to use.
ok markus@
|
| |
|
|
|
|
| |
fixes failure with ExitOnForwardFailure+hostname canonicalisation
where the same forwards are added on the second pass through
the configuration file. bz#2562; ok dtucker@
|
| |
|
|
|
|
|
|
|
| |
is when sanitising standard fd's before calling daemon().
Use a tweaked version of the ssh(1) function in all three places
found using fcntl() this way.
ok jca@ beck@
|
| |
|
|
| |
timestamps. Pointed out by mmcc@, ok deraadt@ markus@
|
| | |
|
| |
|
|
| |
ok deraadt, djm
|
| |
|
|
|
| |
Adapted from portable (using separate devices for this is the normal case
in most OS). ok djm@
|
| |
|
|
|
|
| |
we need; makes it possible to use tun/tap networking as non-
root user if device permissions and interface flags are
pre-established; based on patch by Ossi Herrala
|
| |
|
|
| |
ok djm
|
| |
|
|
|
|
|
|
|
| |
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
|
| |
|
|
|
|
| |
programs.
ok deraadt@ millert@
|
| |
|
|
|
|
|
|
| |
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
|
| |
|
|
| |
strict-alignment architectures; reported by and ok stsp@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
add multistate option partsing to readconf.c, similar to servconf.c's
existing code.
move checking of options that accept "none" as an argument to readconf.c
add a lowercase() function and use it instead of explicit tolower() in
loops
part of a larger diff that was ok markus@
|
| |
|
|
|
| |
errno == 0. Avoids confusing error message in some broken resolver
cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker
|
| |
|
|
|
| |
keepalives and rekeying will work properly over clock steps. Suggested by
markus@, "looks good" djm@.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
|
| |
|
|
|
| |
# sshd -Tf sshd_config|grep ipqos
ipqos lowdelay throughput
|
| |
|
|
| |
feedback and ok markus@
|
| |
|
|
|
|
| |
hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
| |
|
|
|
|
| |
kernel in kern(9), and remove it from OpenSSH.
ok deraadt@, djm@
|
| |
|
|
|
|
|
|
|
| |
factor out bandwidth limiting code from scp(1) into a generic bandwidth
limiter that can be attached using the atomicio callback mechanism
add a bandwidth limit option to sftp(1) using the above
"very nice" markus@
|
| | |
|
| | |
|
| |
|
|
|
|
| |
timing information by short-circuiting like memcmp() and use it for
some of the more sensitive comparisons (though nothing high-value was
readily attackable anyway); "looks ok" markus@
|
| |
|
|
|
|
|
| |
AllowUsers "blah blah" blah
was broken; report and fix in bz#1757 from bitman.zhou AT centrify.com
ok dtucker;
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures
that trafic such as DNS lookups stays withing the specified routingdomain.
For example (from reyk):
# route -T 2 exec /usr/sbin/sshd
or inherited from the parent process
$ route -T 2 exec sh
$ ssh 10.1.2.3
ok deraadt@ markus@ stevesk@ reyk@
|
| |
|
|
| |
'Looks right' deraadt@
|
| |
|
|
|
|
| |
to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually work.
Note that nothing in OpenSSH actually uses close to this limit at present.
bz#1607 from Jan.Pechanec AT Sun.COM
|
| |
|
|
| |
ok markus@
|
| |
|
|
| |
ok dtucker
|
| |
|
|
|
|
|
|
|
|
|
| |
rather than 0, which it will now treat as valid (needed for future work)
adjust current consumers of a2port() to check its return value is <= 0,
which in turn required some things to be converted from u_short => int
make use of int vs. u_short consistent in some other places too
feedback & ok markus@
|
| | |
|
| |
|
|
| |
key renegotiation (bz #1363). With djm and Matt Day, ok djm@
|
| | |
|
| |
|
|
|
| |
code of getaddrinfo. Prompted by vgiffin at apple com via bz #1417.
ok markus@ stevesk@
|
| |
|
|
| |
``ok by me'' djm@.
|
millert
djm
deraadt
dtucker
krw
tobias
sthen
lteo
tedu
stevesk
matthew
reyk
ray