summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* add back the changes from rev 1.206, djm reverted this by mistake injsg2015-03-111-2/+5
| | | | rev 1.207
* fix sshkey_certify() return value for unsupported key types;djm2015-03-061-1/+2
| | | | ok markus@ deraadt@
* make ssh-add -D work with !SSH1 agentdjm2015-03-041-3/+3
|
* crank; ok markus, deraadtdjm2015-03-041-2/+2
|
* add SSH1 Makefile knob to make it easier to build without SSH1 support;djm2015-03-035-9/+24
| | | | ok markus@
* Allow "ssh -Q protocol-version" to list supported SSH protocoldjm2015-03-032-6/+15
| | | | | versions. Useful for detecting builds without SSH v.1 support; idea and ok markus@
* Make sure we only call getnameinfo() for AF_INET or AF_INET6 sockets.millert2015-03-011-12/+17
| | | | | | getpeername() of a Unix domain socket may return without error on some systems without actually setting ss_family so getnameinfo() was getting called with ss_family set to AF_UNSPEC. OK djm@
* don't printf NULL key comments; reported by Tom Christensendjm2015-02-261-2/+3
|
* zero cmsgbuf before use; we initialise the bits we use butdjm2015-02-251-1/+3
| | | | valgrind still spams warning on it
* fix small memory leak when UpdateHostkeys=nodjm2015-02-251-4/+4
|
* don't leak validity of user in "too many authentication failures"djm2015-02-251-2/+3
| | | | disconnect message; reported by Sebastian Reitenbach
* add -v (show ASCII art) to -l's synopsis; ok djm@naddy2015-02-242-4/+5
|
* further silence spurious error message even when -v is specifieddjm2015-02-231-2/+2
| | | | (e.g. to get visual host keys); reported by naddy@
* add an XXX to remind me to improve sshkey_load_publicdjm2015-02-231-1/+4
|
* silence a spurious error message when listing fingerprints fordjm2015-02-231-2/+2
| | | | known_hosts; bz#2342
* fix setting/clearing of TTY raw mode around UpdateHostKeys=askdjm2015-02-231-4/+9
| | | | confirmation question; reported by Herb Goldman
* make "ssh-add -d" properly remove a corresponding certificate, and alsohalex2015-02-211-4/+10
| | | | | | not whine and fail if there is none ok djm@
* sort options useable under Match case-insensitively;djm2015-02-201-3/+3
| | | | prodded jmc@
* more options that are available under Match;djm2015-02-201-4/+10
| | | | bz#2353 reported by calestyo AT scientia.net
* UpdateHostKeys fixes:djm2015-02-207-30/+42
| | | | | | | | | | | | | | I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@ s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little. Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
* Regression: I broke logging of public key fingerprints in 1.46.djm2015-02-171-3/+3
| | | | Pointed out by Pontus Lundkvist
* partial backout of:djm2015-02-161-8/+7
| | | | | | | | | | | | | revision 1.441 date: 2015/01/31 20:30:05; author: djm; state: Exp; lines: +17 -10; commitid : x8klYPZMJSrVlt3O; Let sshd load public host keys even when private keys are missing. Allows sshd to advertise additional keys for future key rotation. Also log fingerprint of hostkeys loaded; ok markus@ hostkey updates now require access to the private key, so we can't load public keys only. The improved log messages (fingerprints of keys loaded) are kept.
* Revise hostkeys@openssh.com hostkey learning extension.djm2015-02-1614-101/+537
| | | | | | | | | | The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client. Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered. ok markus@
* Refactor hostkeys_foreach() and dependent codedjm2015-02-164-125/+218
| | | | | | Deal with IP addresses (i.e. CheckHostIP) Don't clobber known_hosts when nothing changed ok markus@ as part of larger commit
* Declare ge25519_base as extern, to prevent it from becoming a common. Gets usmiod2015-02-161-2/+2
| | | | | rid of ``lignment 4 of symbol `crypto_sign_ed25519_ref_ge25519_base' in mod_ge25519.o is smaller than 16 in mod_ed25519.o'' warnings at link time.
* make rekey_limit for sshd w/privsep work; ok djm@ dtucker@markus2015-02-133-15/+12
|
* Prevent sshd spamming syslog with "ssh_dispatch_run_fatal: disconnected".dtucker2015-02-121-1/+5
| | | | ok markus@
* Some packet error messages show the address of the peer, but might bedjm2015-02-111-5/+7
| | | | | | | generated after the socket to the peer has suffered a TCP reset. In these cases, getpeername() won't work so cache the address earlier. spotted in the wild via deraadt@ and tedu@
* fix some leaks in error pathsjsg2015-02-091-2/+5
| | | | ok markus@
* SIZE_MAX is standard, we should be using it in preference to themillert2015-02-064-15/+15
| | | | obsolete SIZE_T_MAX. OK miod@ beck@
* Include stdint.h, not limits.h to get SIZE_MAX. OK guenther@millert2015-02-051-1/+2
|
* missing ;deraadt2015-02-031-2/+2
| | | | djm and mlarkin really having great interactions recently
* slightly extend the passphrase prompt if running with -c in order tohalex2015-02-031-4/+5
| | | | | | give the user a chance to notice if unintentionally running without it wording tweak and ok djm@
* handle PKCS#11 C_Login returning CKR_USER_ALREADY_LOGGED_IN;djm2015-02-021-5/+7
| | | | based on patch from Yuri Samoilenko; ok markus@
* turn UpdateHostkeys off by default until I figure out mlarkin@'sdjm2015-02-022-6/+6
| | | | warning message; requested by deraadt@
* increasing encounters with difficult DNS setups in darknets hasderaadt2015-02-023-7/+7
| | | | | convinced me UseDNS off by default is better ok djm
* Let sshd load public host keys even when private keys are missing.djm2015-01-311-10/+17
| | | | | Allows sshd to advertise additional keys for future key rotation. Also log fingerprint of hostkeys loaded; ok markus@
* Add a ssh_config HostbasedKeyType option to control whichdjm2015-01-307-120/+245
| | | | | | | | | host public key types are tried during hostbased authentication. This may be used to prevent too many keys being sent to the server, and blowing past its MaxAuthTries limit. bz#2211 based on patch by Iain Morgan; ok markus@
* set a timeout to prevent hangs when talking to busted servers;djm2015-01-301-1/+2
| | | | ok markus@
* avoid more fatal/exit in the packet.c paths that ssh-keyscandjm2015-01-309-114/+204
| | | | uses; feedback and "looks good" markus@
* permit KRLs that revoke certificates by serial number or key IDdjm2015-01-303-51/+86
| | | | without scoping to a particular CA; ok markus@
* missing parentheses after if in do_convert_from() brokedjm2015-01-301-3/+3
| | | | | private key conversion from other formats some time in 2010; bz#2345 reported by jjelen AT redhat.com
* fix ssh protocol 1, spotted by miod@djm2015-01-301-9/+20
|
* update to new API (key_fingerprint => sshkey_fingerprint)djm2015-01-2812-68/+81
| | | | | check sshkey_fingerprint return values; ok markus
* avoid fatal() calls in packet codedjm2015-01-281-3/+15
| | | | | makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
* avoid fatal() calls in packet codedjm2015-01-287-29/+54
| | | | | makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
* remove obsolete commentdjm2015-01-281-2/+1
|
* Since r1.2 removed the use of PRI* macros, inttypes.h is no longerokan2015-01-272-4/+2
| | | | | | required. ok djm@
* sort previous;jmc2015-01-261-2/+2
|
* properly restore umaskdjm2015-01-261-2/+4
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.