summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh (follow)
Commit message (Collapse)AuthorAgeFilesLines
* for public key authentication, check AuthorizedKeysFiles files beforedjm2019-06-141-11/+18
| | | | consulting AuthorizedKeysCommand; ok dtucker markus
* if passed a bad fd, log what it wasdjm2019-06-141-2/+2
|
* Hostname->HostName cleanup; from lauri tirkkonenjmc2019-06-127-22/+22
| | | | ok dtucker
* deraadt noticed some inconsistency in the way we denote the "Hostname" andjmc2019-06-122-10/+10
| | | | | | | "X11UseLocalhost" keywords; this makes things consistent (effectively reversing my commit of yesterday); ok deraadt markus djm
* consistent lettering for "HostName" keyword; from lauri tirkkonenjmc2019-06-111-3/+3
|
* Typo and spelling fixes in comments and error messages. Patch fromdtucker2019-06-074-9/+9
| | | | knweiss at gmail.com via -portable.
* Check for user@host when parsing sftp target. This allows user@[1.2.3.4]dtucker2019-06-071-6/+11
| | | | to work without a path in addition to with one. bz#2999, ok djm@
* Replace calls to ssh_malloc_init() by a static init of malloc_options.otto2019-06-0613-32/+14
| | | | Prepares for changes in the way malloc is initialized. ok guenther@ dtucker@
* fix ssh-keysign fd handling problem introduced in r1.304 caused by a typodjm2019-05-311-2/+2
| | | | (STDIN_FILENO vs STDERR_FILENO)
* Make the standard output messages of both methods of changing a keylum2019-05-291-5/+16
| | | | | pair's comments (using -c and -C) more applicable to both methods. ok and suggestions djm@ dtucker@
* tweak previous;jmc2019-05-201-3/+4
|
* embiggen format buffer size for certificate serial number sodjm2019-05-201-2/+2
| | | | | that it will fit a full 64 bit integer. bz#3012 from Manoel Domingues Junior
* When signing certificates with an RSA key, default to using thedjm2019-05-202-3/+19
| | | | | | | | | | | rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH < 7.2 unless the default is overridden. Document the ability of the ssh-keygen -t flag to override the signature algorithm when signing certificates, and the new default. ok deraadt@
* Move a variable declaration to the block where it's used to make thingsdtucker2019-05-161-3/+3
| | | | a little tidier for -portable.
* When doing the fork+exec'ing for ssh-keysign, rearrange the socketderaadt2019-05-151-7/+9
| | | | | into fd3, so as to not mistakenly leak other fd forward accidentally. ok djm
* Delete some .Sx macros that were used in a wrong way.schwarze2019-05-142-10/+6
| | | | Part of a patch from Stephen Gregoratto <dev at sgregoratto dot me>.
* For PermitOpen violations add the remote host and port toflorian2019-05-101-3/+21
| | | | | | | | | | | | be able to find out from where the request was comming. Add the same logging for PermitListen violations which where not logged at all. Pointed out by Robert Kisteleki (robert AT ripe.net) input markus OK deraadt
* Use the correct (according to POSIX) format for left-justificationdtucker2019-05-031-3/+3
| | | | in snmprintf. bz#3002, patch from velemas at gmail.com, ok markus@.
* Free channel objects on exit path. Patch from markus at blueflash.cc,dtucker2019-05-031-4/+24
| | | | ok deraadt
* Free host on exit path. Patch from markus at blueflash.cc, ok djm@dtucker2019-05-031-1/+2
|
* Wrap XMSS including in ifdef. Patch from markus at blueflash.cc, ok djmdtucker2019-05-031-2/+4
|
* Import regenerated moduli.dtucker2019-04-266-450/+450
|
* Use the LogLevel typdef instead of int where appropriate. Patch fromdtucker2019-04-232-4/+5
| | | | Markus Schmidt via openssh-unix-dev, ok markus@
* Document new default RSA key size. From sebastiaanlokhorst at gmail.comdtucker2019-04-191-4/+4
| | | | via bz#2997.
* When running sshd -T, assume any attibute not provided by -C does not match,dtucker2019-04-183-10/+15
| | | | | which allows it to work when sshd_config contains a Match directive with or without -C. bz#2858, ok djm@
* Remove crc32.{c,h} which were only used by the now-gone SSH1 protocol.dtucker2019-04-184-140/+2
| | | | Patch from yumkam at gmail.com, ok deraadt.
* openssh-8.0djm2019-04-031-2/+2
|
* when logging/fataling on error, include a bit more detail than just thedjm2019-03-291-17/+21
| | | | function name and the error message
* fix interaction between ClientAliveInterval and RekeyLimit that coulddjm2019-03-271-3/+4
| | | | | cause connection to close incorrectly; Report and patch from Jakub Jelen in bz#2757; ok dtucker@ markus@
* Fix authentication failures when "AuthenticationMethods any" in adjm2019-03-251-1/+9
| | | | | | Match block overrides a more restrictive global default. Spotted by jmc@, ok markus@
* whitespacedjm2019-03-251-2/+1
|
* Expand comment to document rationale for default key sizes.dtucker2019-03-251-3/+10
| | | | "seems worthwhile" deraadt.
* Increase the default RSA key size to 3072 bits. Based on the estimatesdtucker2019-03-251-3/+6
| | | | | | from NIST Special Publication 800-57, 3k bits provides security equivalent to 128 bits which is the smallest symmetric cipher we enable by default. ok markus@ deraadt@
* full stop in the wrong place;jmc2019-03-221-3/+3
|
* benno helped me clean up the tcp forwarding section;jmc2019-03-161-32/+18
|
* fix use-after-free in ssh-pkcs11; found by hshoexer w/AFLmarkus2019-03-081-1/+3
|
* Move checks for lists of users or groups into their own function.dtucker2019-03-064-6/+16
| | | | | This is a no-op on OpenBSD but will make things easier in -portable, eg on systems where these checks should be case-insensitive. ok djm@
* Reset last-seen time when sending a keepalive. Prevents sending twodtucker2019-03-061-6/+9
| | | | | | keepalives successively and prematurely terminating connection when ClientAliveCount=1. While there, collapse two similar tests into one. ok markus@
* PKCS#11 support is no longer limited to RSA; ok benno@ kn@naddy2019-03-052-7/+7
|
* in ssh_set_newkeys(), mention the direction that we're keying in debugdjm2019-03-011-5/+7
| | | | | messages. Previously it would be difficult to tell which direction it was talking about
* Fix two race conditions in sshd relating to SIGHUP:djm2019-03-011-28/+86
| | | | | | | | | | | | | | | | | | | | | | | | | 1. Recently-forked child processes will briefly remain listening to listen_socks. If the main server sshd process completes its restart via execv() before these sockets are closed by the child processes then it can fail to listen at the desired addresses/ports and/or fail to restart. 2. When a SIGHUP is received, there may be forked child processes that are awaiting their reexecution state. If the main server sshd process restarts before passing this state, these child processes will yield errors and use a fallback path of reading the current sshd_config from the filesystem rather than use the one that sshd was started with. To fix both of these cases, we reuse the startup_pipes that are shared between the main server sshd and forked children. Previously this was used solely to implement tracking of pre-auth child processes for MaxStartups, but this extends the messaging over these pipes to include a child->parent message that the parent process is safe to restart. This message is sent from the child after it has completed its preliminaries: closing listen_socks and receiving its reexec state. bz#2953, reported by Michal Koutný; ok markus@ dtucker@
* mention PKCS11Provide=none, reword a little and remove mention ofdjm2019-03-011-6/+8
| | | | | RSA keys only (since we support ECDSA now and might support others in the future). Inspired by Jakub Jelen via bz#2974
* let PKCS11Provider=none do what users expectdjm2019-03-011-2/+3
| | | | | | print PKCS11Provider instead of obsolete SmartcardDevice in config dump. bz#2974 ok dtucker@
* dup stdout/in for proxycommand=-, otherwise stdout might bemarkus2019-02-271-3/+11
| | | | redirected to /dev/null; ok djm@
* openssh-7.9 accidentally reused the server's algorithm lists in thedjm2019-02-233-16/+10
| | | | | | | | | | | | client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method. This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method. Reported by nuxi AT vault24.org via bz#2697; ok dtucker
* perform removal of agent-forwarding directory in forward setup errordjm2019-02-221-1/+3
| | | | | | | | | path with user's privileged. This is a no-op as this code always runs with user privilege now that we no longer support running sshd with privilege separation disabled, but as long as the privsep skeleton is there we should follow the rules. bz#2969 with patch from Erik Sjölund
* sync the description of ~/.ssh/config with djm's updated description in ssh.1;jmc2019-02-181-3/+3
| | | | | | issue pointed out by andreas kahari ok dtucker djm
* fix regression in r1.302 reported by naddy@ - only the first publicdjm2019-02-121-5/+5
| | | | key from the agent was being attempted for use.
* cleanup GSSAPI authentication context after completion of thedjm2019-02-111-67/+88
| | | | | | | | authmethod. Move function-static GSSAPI state to the client Authctxt structure. Make static a bunch of functions that aren't used outside this file. Based on patch from Markus Schmidt <markus@blueflash.cc>; ok markus@
* ssh-keygen -D pkcs11.so needs to initialize pkcs11 interactive,benno2019-02-101-2/+2
| | | | | so it can ask for the smartcards PIN. ok markus@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.