| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Reported by Bryan Drewery
|
| |
|
|
|
|
|
| |
by a '+' to indicate that the specified items be appended to the
default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
| |
|
|
|
| |
PubkeyAcceptedKeyTypes to the client side, so it still can be
tested or turned back on; feedback and ok djm@
|
| |
|
|
|
|
| |
characters and skip past the end of the string.
Based on patch by Salvador Fandino; ok dtucker@
|
| |
|
|
| |
of-bounds read. bz#2396 from Jaak Ristioja; ok dtucker@
|
| |
|
|
|
|
|
|
|
|
| |
we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.
ok markus@
|
| |
|
|
| |
ok djm
|
| |
|
|
|
| |
of a single nul byte. Found by hanno AT hboeck.de using AFL;
ok dtucker
|
| |
|
|
|
|
|
|
|
|
| |
The client will not ask the server to prove ownership of the private
halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the
user manually review keys offered.
ok markus@
|
| |
|
|
| |
warning message; requested by deraadt@
|
| |
|
|
|
|
|
|
|
| |
host public key types are tried during hostbased authentication.
This may be used to prevent too many keys being sent to the server,
and blowing past its MaxAuthTries limit.
bz#2211 based on patch by Iain Morgan; ok markus@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add a hostkeys@openssh.com protocol extension (global request) for
a server to inform a client of all its available host key after
authentication has completed. The client may record the keys in
known_hosts, allowing it to upgrade to better host key algorithms
and a server to gracefully rotate its keys.
The client side of this is controlled by a UpdateHostkeys config
option (default on).
ok markus@
|
| |
|
|
|
|
|
|
|
| |
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
|
| |
|
|
| |
buffer/key API; mostly mechanical, ok markus@
|
| |
|
|
|
| |
options to allow sshd to control what public key types will be
accepted. Currently defaults to all. Feedback & ok markus@
|
| | |
|
| |
|
|
|
|
|
| |
fingerprints. Default changes from MD5 to SHA256 and format
from hex to base64.
Feedback and ok naddy@ markus@
|
| |
|
|
| |
Allow textfile or KRL-based revocation of hostkeys.
|
| |
|
|
|
|
| |
programs.
ok deraadt@ millert@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make the second pass through the config files always run when
hostname canonicalisation is enabled.
Add a "Match canonical" criteria that allows ssh_config Match
blocks to trigger only in the second config pass.
Add a -G option to ssh that causes it to parse its configuration
and dump the result to stdout, similar to "sshd -T"
Allow ssh_config Port options set in the second config parse
phase to be applied (they were being ignored).
bz#2267 bz#2286; ok markus
|
| |
|
|
|
|
|
|
| |
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the hostname. This allows users to write configurations that always
refer to canonical hostnames, e.g.
CanonicalizeHostname yes
CanonicalDomains int.example.org example.org
CanonicalizeFallbackLocal no
Host *.int.example.org
Compression off
Host *.example.org
User djm
ok markus@
|
| |
|
|
| |
failed to match; ok markus@
|
| | |
|
| |
|
|
|
| |
ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html
feedback, help & ok djm@
|
| |
|
|
| |
ok guenther millert markus
|
| |
|
|
| |
ok djm, man page help jmc@
|
| | |
|
| |
|
|
| |
evaluation; spotted by Iain Morgan
|
| |
|
|
|
|
| |
"exec"; it's shorter, clearer in intent and we might want to add the
ability to match against the command being executed at the remote end in
the future.
|
| |
|
|
| |
e.g. authorized_keys; pointed out by naddy@
|
| |
|
|
|
|
|
|
|
|
| |
search path of domain suffixes to use to convert unqualified host names
to fully-qualified ones for host key matching.
This is particularly useful for host certificates, which would otherwise
need to list unqualified names alongside fully-qualified ones (and this
causes a number of problems).
"looks fine" markus@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
add multistate option partsing to readconf.c, similar to servconf.c's
existing code.
move checking of options that accept "none" as an argument to readconf.c
add a lowercase() function and use it instead of explicit tolower() in
loops
part of a larger diff that was ok markus@
|
| |
|
|
| |
user and result of arbitrary commands. "nice work" markus@
|
| |
|
|
|
|
|
|
| |
ProxyCommands that establish a connection and then pass a connected
file descriptor back to ssh(1). This allows the ProxyCommand to exit
rather than have to shuffle data back and forth and enables ssh to use
getpeername, etc. to obtain address information just like it does with
regular directly-connected sockets. ok markus@
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
bz#866; ok markus@
|
| |
|
|
|
| |
rekeying based on elapsed time in addition to amount of traffic.
with djm@ jmc@, ok djm
|
| | |
|
| |
|
|
| |
ok djm, deraadt.
|
| |
|
|
| |
were default options, and don't warn if the latter are missing. ok markus@
|
| |
|
|
|
|
|
|
|
| |
1) send the actual listen port in the open message (instead of 0).
this allows multiple forwardings with a dynamic listen port
2) update the matching permit-open entry, so we can identify where
to connect to
report: den at skbkontur.ru and P. Szczygielski
feedback and ok djm@
|
| |
|
|
|
|
| |
GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile
accept multiple paths per line and making their defaults include
known_hosts2; ok markus
|
| |
|
|
| |
control over tty allocation (like -t/-T); ok markus@
|
| |
|
|
|
|
|
|
| |
Host *.example.org !c.example.org
User mekmitasdigoat
Will match "a.example.org", "b.example.org", but not "c.example.org"
ok markus@
|
djm
markus
deraadt
lteo
millert
dtucker