| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
ok dtucker
|
| |
|
|
| |
Prepares for changes in the way malloc is initialized. ok guenther@ dtucker@
|
| |
|
|
| |
Markus Schmidt via openssh-unix-dev, ok markus@
|
| |
|
|
| |
with & ok markus@
|
| |
|
|
| |
with & ok markus@
|
| |
|
|
|
|
|
|
|
|
|
| |
almost exactly six years ago.
This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.
with & ok markus@
|
| |
|
|
|
|
|
|
|
|
|
| |
out the banner exchange. This eliminates some common code from the
client and server.
Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@
|
| |
|
|
|
| |
Matches in same pass as "Match canonical" but doesn't require
hostname canonicalisation be enabled. bz#2906 ok markus
|
| |
|
|
| |
we're old, but we don't have to act it
|
| |
|
|
| |
names as well as explicit paths. ok dtucker@
|
| |
|
|
|
|
|
|
| |
ProxyCommand set with regards to hostname canonicalisation (i.e.
don't try to canonicalise the hostname unless CanonicalizeHostname
is set to 'always').
Patch from Sven Wegener via bz#2896
|
| |
|
|
| |
erroneously showing certificate algorithms); prompted by markus@
|
| |
|
|
| |
ok markus@
|
| |
|
|
|
| |
original_effective_uid globals and replace with calls to plain getuid().
ok djm@
|
| |
|
|
|
|
|
|
| |
instead of calling getpwuid() again and discarding the argument.
This prevents a client crash where tilde_expand_filename calls getpwuid()
again before the pwent pointer is used.
Issue noticed and reported by Pierre-Olivier Martel <pom@apple.com>
ok djm@ deraadt@
|
| |
|
|
|
|
|
|
|
|
|
| |
setuid has been removed, remove supporting code and clean up
references to it in the man pages
We have not shipped ssh(1) the setuid bit since 2002. If ayone
really needs to make connections from a low port number this can
be implemented via a small setuid ProxyCommand.
ok markus@ jmc@ djm@
|
| |
|
|
|
| |
Do not link uidwap.c into ssh any more. Neuters UsePrivilegedPort,
which will be marked as deprecated shortly. ok markus@ djm@
|
| |
|
|
|
|
|
| |
now gone and the slot is unused so remove it. Remove two now-unused
macros, and add an array bounds check to the two remaining ones
(array is statically sized, so mostly a safety check on future changes).
ok markus@
|
| |
|
|
|
| |
ssh(1) and always use ssh-keysign. This removes one of the few remaining
reasons why ssh(1) might be setuid. ok markus@
|
| |
|
|
| |
keys, fixing some spurious error messages; ok markus
|
| | |
|
| | |
|
| |
|
|
| |
Roumen Petrov
|
| |
|
|
|
|
|
|
|
| |
may be listened on when the client requests remote forwarding (ssh -R).
This is the converse of the existing PermitOpen directive and this
includes some refactoring to share much of its implementation.
feedback and ok markus@
|
| |
|
|
|
|
|
| |
available currently. In the client this is via %i, in the server %U
(since %i was already used in the client in some places for this, but
used for something different in the server);
bz#2870, ok dtucker@
|
| |
|
|
| |
bz2831, feedback and ok dtucker@
|
| | |
|
| |
|
|
| |
with codespell tool (https://github.com/lucasdemarchi/codespell)
|
| |
|
|
|
|
|
| |
The code is not compiled in by default (see WITH_XMSS in Makefile.inc)
Joint work with stefan-lukas_gazdag at genua.eu
See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
ok djm@
|
| |
|
|
|
|
|
|
|
|
|
| |
to ssh(1) that directs it to bind its outgoing connection to the
address of the specified network interface.
BindInterface prefers to use addresses that aren't loopback or link-
local, but will fall back to those if no other addresses of the
required family are available on that interface.
Based on patch by Mike Manning in bz#2820, ok dtucker@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The signal handlers from the original ssh1 code on which OpenSSH
is based assume unreliable signals and reinstall their handlers.
Since OpenBSD (and pretty much every current system) has reliable
signals this is not needed. In the unlikely even that -portable
is still being used on such systems we will deal with it in the
compat layer. ok deraadt@
|
| |
|
|
|
|
|
|
|
|
| |
ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.
ok markus@
|
| |
|
|
|
|
| |
instead canonicalise them through getnameinfo/getaddrinfo to remove
ambiguities (e.g. ::0001 => ::1) before they are matched against
known_hosts; bz#2763, ok dtucker@
|
| |
|
|
| |
and reported by Alf Schlichting
|
| | |
|
| |
|
|
|
| |
/dev/null to fd 1. This allows propagation of remote stdout close to
the local side; reported by David Newall, ok markus@
|
| |
|
|
|
|
|
|
|
|
|
| |
At the client, the device may be obtained from a new %T expansion
for LocalCommand.
At the server, the allocated devices will be listed in a
SSH_TUNNEL variable exposed to the environment of any user sessions
started after the tunnel forwarding was established.
ok markus
|
| |
|
|
|
|
|
| |
or sftp://user@host/path. The connection parameters described in
draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the
ssh fingerprint format in the draft uses md5 with no way to specify
the hash function type. OK djm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
(-D) with remote forwarding (-R) where the remote-forwarded port
expects SOCKS-requests.
The SSH server code is unchanged and the parsing happens at the SSH
clients side. Thus the full SOCKS-request is sent over the forwarded
channel and the client parses c->output. Parsing happens in
channel_before_prepare_select(), _before_ the select bitmask is
computed in the pre[] handlers, but after network input processing
in the post[] handlers.
help and ok djm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.
ok markus@
|
| |
|
|
|
|
|
|
| |
completely; previous behaviour would not prevent further options
appearing after the hostname (ssh has a supported options after the
hostname for >20 years, so that's too late to change).
ok deraadt@
|
| |
|
|
|
|
|
| |
file instead of giving it on the client's command line. This command
will be executed on the remote host. The feature allows to automate
tasks using ssh config.
OK markus@
|
| | |
|
| | |
|
| |
|
|
| |
ok markus@
|
| |
|
|
| |
ok markus@
|
| | |
|
| |
|
|
| |
ok markus@
|
| |
|
|
| |
ok markus@
|
jmc
otto
dtucker
djm
beck
markus
millert
bluhm