| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Input and ok mortimer@
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
the agent supports them properly
|
| |
|
|
| |
from Pedro Martelletto
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gnezdo noticed that :S/old_string/new_string/ variable modifiers such
as :S/^sth/&/ and :S/sth$/&/ with an anchor in the old_string and an &
in the new_string don't work as documented (and expected) since they
replace & with old_string including the anchors.
This is because get_spatternarg() deals with skipping the anchors in
pattern->lhs only after having replaced any '&' in the buffer that will
eventually become new_string with pattern->lhs. Fix this by moving the
logic of skipping the anchors from get_spatternarg() into
common_get_patternarg() so it is done before & is handled.
ok millert
|
| |
|
|
|
| |
This is the only missing time function compared to those two
implementations. Doc changes OK jmc@
|
| |
|
|
|
|
| |
LocalAddress are valid when parsing in config-test mode. This will
catch address/mask mismatches before they cause problems at runtime.
Found by Daniel Stocker, ok djm@
|
| |
|
|
|
| |
The times when -T man may have expanded .so requests are long gone,
nor would such a feature be useful. Use soelim(1) if you need that.
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
|
|
| |
which unintentionally made the -O tag= argument mandatory,
breaking commands like "man -akO tag Ic=ulimit".
Noticed while answering questions from Ian Ropers.
|
| |
|
|
|
|
| |
only applies to -T html output mode, and why. Of course, -O tag works
just fine with less(1) in the -T ascii and -T utf8 output modes.
Potential for confusion pointed out by Ian Ropers.
|
| |
|
|
|
|
|
|
| |
when no arguments follow the closing brace, \}.
For example, the line "'br\}" contained in the pod2man(1) preamble
would throw a bogus "escaped character not allowed in a name" error.
This issue was originally reported by Chris Bennett on ports@,
and afresh1@ noticed it came from the pod2man(1) preamble.
|
| | |
|
| |
|
|
| |
"ssh-keygen -vyf /path/key"
|
| |
|
|
|
|
| |
is attached.
with Pedro Martelletto
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
When we know that a particular action will require a PIN, such as
downloading resident keys or generating a verify-required key, request
the PIN before attempting it.
joint work with Pedro Martelletto; ok markus@
|
| |
|
|
|
|
|
|
|
| |
When downloading a resident, verify-required key from a FIDO token,
preserve the verify-required in the private key that is written to
disk. Previously we weren't doing that because of lack of support
in the middleware API.
from Pedro Martelletto; ok markus@ and myself
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When PINs are in use and multiple FIDO tokens are attached to a host, we
cannot just blast requests at all attached tokens with the PIN specified
as this will cause the per-token PIN failure counter to increment. If
this retry counter hits the token's limit (usually 3 attempts), then the
token will lock itself and render all (web and SSH) of its keys invalid.
We don't want this.
So this reworks the key selection logic for the specific case of
multiple keys being attached. When multiple keys are attached and the
operation requires a PIN, then the user must touch the key that they
wish to use first in order to identify it.
This may require multiple touches, but only if there are multiple keys
attached AND (usually) the operation requires a PIN. The usual case of a
single key attached should be unaffected.
Work by Pedro Martelletto; ok myself and markus@
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.
feedback and ok markus@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Swap the WAIT column with RTABLE (and vice versa); WAIT is wide enough to
fit RTABLE, somewhat adds additional value to STATE and seems therefore most
appropiate to hide in favour of RTABLE.
Filtering rtables with "T" does not toggle the column, just like filtering
users with "u" does not toggle between user and thread id.
Feedback jmc
OK remi
|
| |
|
|
| |
2317.
|
| |
|
|
|
| |
No functional change, the rename is for consistency and the buffer
handling reduces churn in an upcoming diff.
|
| |
|
|
|
| |
instead responding with the primary DA response. Ignore it. Reported by
Dave Vandervies.
|
| |
|
|
| |
Vandervies.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
"-T-0" for processes outside the default routing table, "-T3" for those in
a specific one; same semantics as with other filters.
Manual wording and command line flag taken from pgrep(1) being the only way
to identify processes by routing table; After netstat(1)'s recent addition
of "-R", filtering in top makes for handy tooling around rtable(4).
"looks good to me" millert
OK remi
|
| |
|
|
|
|
|
| |
The best that we can do is string comparison of the file name.
Previously, "fstat /var/run/foo.sock" would return no results. The
-f option still won't work for sockets since they are not file
system objects. OK kn@
|
| | |
|
| |
|
|
| |
variable name arguments again if they contain a #{.
|
| |
|
|
|
|
|
|
|
|
| |
The server's DNS name may yield multiple addresses of different address
families; in case the local client has no suitable address, i.e. connect(2)
fails with EADDRNOTAVAIL, do not fail hard but try the next address instead.
Report (IPv6 only client with dualstack server) and diff from Sasha Romijn.
OK job
|
| |
|
|
| |
GitHub issues 1182 and 2299. From Eric Garver.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
8 columns. This causes an infinite loop in the folding logic.
Fix this by implementing an escape hatch so that only a single fold can
occur. This does mean that a tab with a -F smaller or equal to 8 will
always print the newline escape backslash in the 8th column.
Bug reported by phillbush <at> cock <dot> li
Minor tweak and OK deraadt@
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
| |
confirmed by naddy and deraadt
|
| |
|
|
|
| |
and from partial code inspection;
OK dlg@
|
| | |
|
| | |
|
| |
|
|
|
|
| |
keys in addition to its current flag options. Time-limited keys will
automatically be removed from ssh-agent after their expiry time has
passed; ok markus@
|
| |
|
|
| |
respect $SSH_ASKPASS_REQUIRE; ok markus@
|
| | |
|
| |
|
|
|
| |
main needs to understand the kstat_tree type now, so move the
declaration up.
|
| | |
|
jca
jmc
nicm
deraadt
djm
tb
millert
dtucker
schwarze
semarie
kn
martijn
cheloha
dlg