| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
indentation on continuation lines. Prompted by GHPR#185
|
| |
|
|
|
| |
after their current names so that the config-dump mode finds and uses
the current names. Spotted by Phil Pennock.
|
| |
|
|
| |
ok djm@, dtucker@
|
| |
|
|
|
|
| |
HostbasedAcceptedAlgorithms, which more accurately reflects its effect.
This matches a previous change to PubkeyAcceptedAlgorithms. The previous
names are retained as aliases. ok djm@
|
| |
|
|
|
|
|
|
| |
While the two were originally equivalent, this actually specifies the
signature algorithms that are accepted. Some key types (eg RSA) can be
used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is
becoming increasingly misleading. The old name is retained as an alias.
Prompted by bz#3253, help & ok djm@, man page help jmc@
|
| |
|
|
|
|
|
| |
value and makes it much harder for hosts to change host keys,
particularly ones that use IP-based load-balancing.
ok dtucker@
|
| |
|
|
| |
ok djm
|
| |
|
|
|
|
|
|
|
|
|
| |
known_hosts data from a command in addition to the usual files.
The command accepts bunch of %-expansions, including details of the
connection and the offered server host key. Note that the command may
be invoked up to three times per connection (see the manpage for
details).
ok markus@
|
| |
|
|
|
|
|
| |
(parse_ssh_uri() can return -1/0/1, that I missed). Reported by Raf
Czlonka via bugs@
ok tb@
|
| |
|
|
| |
(one-off) memory leaks; ok markus@
|
| |
|
|
| |
we already do for sshd_config. bz#2320, with & ok djm@
|
| | |
|
| |
|
|
| |
ok dtucker@
|
| |
|
|
| |
appending ssh_err(r) manually; ok markus@
|
| |
|
|
|
|
|
| |
Allows forcing maximum debug logging by file/function/line pattern-
lists.
ok markus@
|
| |
|
|
| |
suggested by Mark D. Baushke
|
| |
|
|
|
|
| |
and/or stderr to /dev/null. Factor all these out to a single
stdfd_devnull() function that allows selection of which of these
to redirect. ok markus@
|
| |
|
|
|
| |
overridden UserKnownHostsFile;
ok markus@ "The timing is perfect" deraadt@
|
| | |
|
| |
|
|
|
|
| |
keys in addition to its current flag options. Time-limited keys will
automatically be removed from ssh-agent after their expiry time has
passed; ok markus@
|
| |
|
|
| |
that recently got %k.
|
| | |
|
| |
|
|
|
|
|
|
| |
variables on the client side. The supported keywords are
CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus
LocalForward and RemoteForward when used for Unix domain socket
paths. This would for example allow forwarding of Unix domain
socket paths that change at runtime. bz#3140, ok djm@
|
| |
|
|
| |
spotted by & ok sthen@
|
| |
|
|
| |
from jjelen at redhat.com.
|
| |
|
|
| |
user.
|
| |
|
|
|
|
|
|
|
|
|
| |
- %C is moved into its own function and added to Match Exec.
- move the common (global) options into a macro. This is ugly but it's
the least-ugly way I could come up with.
- move IdentityAgent and ForwardAgent percent expansion to before the
config dump to make it regression-testable.
- document all of the above
ok jmc@ for man page bits, "makes things less terrible" djm@ for the rest.
|
| |
|
|
| |
algorithm lists; ok markus@
|
| |
|
|
| |
we need to address; ok markus
|
| |
|
|
|
| |
default known_hosts files, otherwise select UpdateKnownHosts=ask;
ok markus@
|
| | |
|
| |
|
|
|
| |
building without zlib compression and associated options. With feedback
from markus@, ok djm@
|
| |
|
|
|
|
| |
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.
|
| |
|
|
|
|
|
|
| |
remove ifdef and distinct settings for OPENSSL=no case.
This will make things much simpler for -portable where the exact set
of algos depends on the configuration of both OpenSSH and the libcrypto
it's linked against (if any). ok djm@
|
| |
|
|
|
|
|
|
| |
$SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment variable
in addition to yes/no.
Patch by Eric Chiang, manpage by me; ok markus@
|
| |
|
|
|
| |
Move oSecurityProvider to match the order in the OpCodes enum.
Patch from openbsd@academicsolutions.ch, ok djm@
|
| |
|
|
| |
openbsd@academicsolutions.ch, ok djm@
|
| |
|
|
| |
openbsd@academicsolutions.ch, ok djm@
|
| |
|
|
|
|
|
|
|
| |
Previously we didn't do this because we didn't want to expose
the attack surface presented by USB and FIDO protocol handling,
but now that this is insulated behind ssh-sk-helper there is
less risk.
ok markus@
|
| |
|
|
|
|
| |
against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for
Bluetooth, NFC and test/debugging.
|
| |
|
|
|
| |
glob() is sufficient.
discussed with djm
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519
Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
| |
|
|
|
| |
during "match exec" processing. bz#2791 reported by Dario Bertini;
ok dtucker
|
| |
|
|
|
|
| |
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
| |
|
|
| |
ok dtucker
|
| |
|
|
| |
knweiss at gmail.com via -portable.
|
| |
|
|
|
|
| |
print PKCS11Provider instead of obsolete SmartcardDevice in config dump.
bz#2974 ok dtucker@
|
djm
dtucker
markus
tb
deraadt
naddy
jmc