Damien Miller [Fri, 5 Aug 2011 20:17:30 +0000 (06:17 +1000)]
- djm@cvs.openbsd.org 2011/08/02 01:22:11
[mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5]
Add new SHA256 and SHA512 based HMAC modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
Patch from mdb AT juniper.net; feedback and ok markus@
Damien Miller [Fri, 5 Aug 2011 20:16:23 +0000 (06:16 +1000)]
- djm@cvs.openbsd.org 2011/07/29 14:42:45
[sandbox-systrace.c]
fail open(2) with EPERM rather than SIGKILLing the whole process. libc
will call open() to do strerror() when NLS is enabled;
feedback and ok markus@
Damien Miller [Fri, 5 Aug 2011 20:16:00 +0000 (06:16 +1000)]
- tedu@cvs.openbsd.org 2011/07/06 18:09:21
[authfd.c]
bzero the agent address. the kernel was for a while very cranky about
these things. evne though that's fixed, always good to initialize
memory. ok deraadt djm
Damien Miller [Thu, 23 Jun 2011 09:45:51 +0000 (19:45 +1000)]
- djm@cvs.openbsd.org 2011/06/23 09:34:13
[sshd.c ssh-sandbox.h sandbox.h sandbox-rlimit.c sandbox-systrace.c]
[sandbox-null.c]
rename sandbox.h => ssh-sandbox.h to make things easier for portable
Damien Miller [Wed, 22 Jun 2011 22:31:57 +0000 (08:31 +1000)]
- djm@cvs.openbsd.org 2011/06/22 22:08:42
[channels.c channels.h clientloop.c clientloop.h mux.c ssh.c]
hook up a channel confirm callback to warn the user then requested X11
forwarding was refused by the server; ok markus@
Damien Miller [Wed, 22 Jun 2011 22:30:03 +0000 (08:30 +1000)]
- djm@cvs.openbsd.org 2011/06/22 21:57:01
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
[sandbox-systrace.c sandbox.h configure.ac Makefile.in]
introduce sandboxing of the pre-auth privsep child using systrace(4).
This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.
The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.
UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.
Damien Miller [Mon, 20 Jun 2011 04:43:31 +0000 (14:43 +1000)]
- djm@cvs.openbsd.org 2011/06/17 21:57:25
[clientloop.c]
setproctitle for a mux master that has been gracefully stopped;
bz#1911 from Bert.Wesarg AT googlemail.com
Damien Miller [Mon, 20 Jun 2011 04:43:11 +0000 (14:43 +1000)]
- djm@cvs.openbsd.org 2011/06/17 21:47:35
[servconf.c]
factor out multi-choice option parsing into a parse_multistate label
and some support structures; ok dtucker@
Damien Miller [Mon, 20 Jun 2011 04:42:23 +0000 (14:42 +1000)]
- djm@cvs.openbsd.org 2011/06/17 21:44:31
[log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h sshd.c]
make the pre-auth privsep slave log via a socketpair shared with the
monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
Damien Miller [Mon, 20 Jun 2011 04:23:25 +0000 (14:23 +1000)]
- markus@cvs.openbsd.org 2011/06/14 22:49:18
[authfile.c]
make sure key_parse_public/private_rsa1() no longer consumes its input
buffer. fixes ssh-add for passphrase-protected ssh1-keys;
noted by naddy@; ok djm@
Darren Tucker [Fri, 3 Jun 2011 04:19:02 +0000 (14:19 +1000)]
- dtucker@cvs.openbsd.org 2011/06/03 00:29:52
[regress/dynamic-forward.sh]
Retry establishing the port forwarding after a small delay, should make
the tests less flaky when the previous test is slow to shut down and free
up the port.
Darren Tucker [Fri, 3 Jun 2011 04:14:16 +0000 (14:14 +1000)]
- dtucker@cvs.openbsd.org 2011/06/03 01:37:40
[ssh-agent.c]
Check current parent process ID against saved one to determine if the parent
has exited, rather than attempting to send a zero signal, since the latter
won't work if the parent has changed privs. bz#1905, patch from Daniel Kahn
Gillmor, ok djm@
Damien Miller [Fri, 3 Jun 2011 02:10:22 +0000 (12:10 +1000)]
- djm@cvs.openbsd.org 2011/06/03 00:54:38
[ssh.c]
bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg
AT googlemail.com; ok dtucker@
NB. includes additional portability code to enable setproctitle emulation
on platforms that don't support it.
Darren Tucker [Fri, 3 Jun 2011 01:17:52 +0000 (11:17 +1000)]
Remove the !HAVE_SOCKETPAIR case. We use socketpair unconditionally in other
places and the survey data we have does not show any systems that use it.
"nuke it" djm@
Tim Rice [Fri, 3 Jun 2011 01:17:49 +0000 (18:17 -0700)]
- (tim) [configure.ac defines.h] Run test program to detect system mail
directory. Add --with-maildir option to override. Fixed OpenServer 6
getting it wrong. Fixed many systems having MAIL=/var/mail//username
ok dtucker
Darren Tucker [Fri, 3 Jun 2011 00:35:23 +0000 (10:35 +1000)]
- (dtucker) [README version.h contrib/caldera/openssh.spec
contrib/redhat/openssh.spec contrib/suse/openssh.spec] Pull the version
bumps from the 5.8p2 branch into HEAD. ok djm.
Damien Miller [Sun, 29 May 2011 11:59:10 +0000 (21:59 +1000)]
- djm@cvs.openbsd.org 2011/05/23 03:31:31
[regress/cfgmatch.sh]
include testing of multiple/overridden AuthorizedKeysFiles
refactor to simply daemon start/stop and get rid of racy constructs
Damien Miller [Sun, 29 May 2011 11:42:31 +0000 (21:42 +1000)]
- djm@cvs.openbsd.org 2011/05/24 07:15:47
[readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c]
Remove undocumented legacy options UserKnownHostsFile2 and
GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile
accept multiple paths per line and making their defaults include
known_hosts2; ok markus
Damien Miller [Sun, 29 May 2011 11:42:08 +0000 (21:42 +1000)]
- djm@cvs.openbsd.org 2011/05/23 07:24:57
[authfile.c]
read in key comments for v.2 keys (though note that these are not
passed over the agent protocol); bz#439, based on patch from binder
AT arago.de; ok markus@
Damien Miller [Sun, 29 May 2011 11:39:36 +0000 (21:39 +1000)]
OpenBSD CVS Sync
- djm@cvs.openbsd.org 2011/05/23 03:30:07
[auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5]
allow AuthorizedKeysFile to specify multiple files, separated by spaces.
Bring back authorized_keys2 as a default search path (to avoid breaking
existing users of this file), but override this in sshd_config so it will
be no longer used on fresh installs. Maybe in 2015 we can remove it
entierly :)
Damien Miller [Fri, 20 May 2011 09:07:45 +0000 (19:07 +1000)]
- djm@cvs.openbsd.org 2011/05/20 02:43:36
[cert-hostkey.sh]
another attempt to generate a v00 ECDSA key that broke the test
ID sync only - portable already had this somehow
Damien Miller [Fri, 20 May 2011 09:06:48 +0000 (19:06 +1000)]
- djm@cvs.openbsd.org 2011/05/17 07:13:31
[regress/cert-userkey.sh]
fatal() if asked to generate a legacy ECDSA cert (these don't exist)
and fix the regress test that was trying to generate them :)
Damien Miller [Fri, 20 May 2011 09:04:14 +0000 (19:04 +1000)]
- djm@cvs.openbsd.org 2011/05/20 03:25:45
[monitor.c monitor_wrap.c servconf.c servconf.h]
use a macro to define which string options to copy between configs
for Match. This avoids problems caused by forgetting to keep three
code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
Damien Miller [Fri, 20 May 2011 09:03:31 +0000 (19:03 +1000)]
- djm@cvs.openbsd.org 2011/05/20 00:55:02
[servconf.c]
the options TrustedUserCAKeys, RevokedKeysFile, AuthorizedKeysFile
and AuthorizedPrincipalsFile were not being correctly applied in
Match blocks, despite being overridable there; ok dtucker@
Damien Miller [Fri, 20 May 2011 09:03:08 +0000 (19:03 +1000)]
- djm@cvs.openbsd.org 2011/05/17 07:13:31
[key.c]
fatal() if asked to generate a legacy ECDSA cert (these don't exist)
and fix the regress test that was trying to generate them :)
Damien Miller [Fri, 20 May 2011 08:56:30 +0000 (18:56 +1000)]
- (djm) [aclocal.m4 configure.ac] since gcc-4.x ignores all -Wno-options
options, we should corresponding -W-option when trying to determine
whether it is accepted. Also includes a warning fix on the program
fragment uses (bad main() return type).
bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@
Damien Miller [Fri, 20 May 2011 01:45:25 +0000 (11:45 +1000)]
- (djm) [aclocal.m4 configure.ac] since gcc-4.x ignores all -Wno-options
options, we should corresponding -W-option when trying to determine
whether it is accepted. Also includes a warning fix on the program
fragment uses (bad main() return type).
bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@
Damien Miller [Sat, 14 May 2011 22:51:05 +0000 (08:51 +1000)]
- djm@cvs.openbsd.org 2011/05/11 04:47:06
[auth.c auth.h auth2-pubkey.c pathnames.h servconf.c servconf.h]
remove support for authorized_keys2; it is a relic from the early days
of protocol v.2 support and has been undocumented for many years;
ok markus@
Damien Miller [Sat, 14 May 2011 22:50:32 +0000 (08:50 +1000)]
- djm@cvs.openbsd.org 2011/05/10 05:46:46
[authfile.c]
despam debug() logs by detecting that we are trying to load a private key
in key_try_load_public() and returning early; ok markus@
Damien Miller [Sat, 14 May 2011 22:48:05 +0000 (08:48 +1000)]
- djm@cvs.openbsd.org 2011/05/08 12:52:01
[PROTOCOL.mux clientloop.c clientloop.h mux.c]
improve our behaviour when TTY allocation fails: if we are in
RequestTTY=auto mode (the default), then do not treat at TTY
allocation error as fatal but rather just restore the local TTY
to cooked mode and continue. This is more graceful on devices that
never allocate TTYs.
If RequestTTY is set to "yes" or "force", then failure to allocate
a TTY is fatal.
Damien Miller [Sat, 14 May 2011 22:44:02 +0000 (08:44 +1000)]
- djm@cvs.openbsd.org 2011/05/06 21:18:02
[ssh.c ssh_config.5]
add a %L expansion (short-form of the local host name) for ControlPath;
sync some more expansions with LocalCommand; ok markus@
Damien Miller [Sat, 14 May 2011 22:43:13 +0000 (08:43 +1000)]
- djm@cvs.openbsd.org 2011/05/06 21:14:05
[packet.c packet.h]
set traffic class for IPv6 traffic as we do for IPv4 TOS;
patch from lionel AT mamane.lu via Colin Watson in bz#1855;
ok markus@
Damien Miller [Sat, 14 May 2011 22:34:46 +0000 (08:34 +1000)]
- djm@cvs.openbsd.org 2011/05/05 05:12:08
[mux.c]
gracefully fall back when ControlPath is too large for a
sockaddr_un. ok markus@ as part of a larger diff
Darren Tucker [Tue, 10 May 2011 01:13:36 +0000 (11:13 +1000)]
- (dtucker) [openbsd-compat/openssl-compat.{c,h}] Bug #1882: fix
--with-ssl-engine which was broken with the change from deprecated
SSLeay_add_all_algorithms(). ok djm
Damien Miller [Thu, 5 May 2011 04:16:56 +0000 (14:16 +1000)]
- djm@cvs.openbsd.org 2011/04/18 00:46:05
[ssh-keygen.c]
certificate options are supposed to be packed in lexical order of
option name (though we don't actually enforce this at present).
Move one up that was out of sequence
Damien Miller [Thu, 5 May 2011 04:16:22 +0000 (14:16 +1000)]
- djm@cvs.openbsd.org 2011/04/17 22:42:42
[PROTOCOL.mux clientloop.c clientloop.h mux.c ssh.1 ssh.c]
allow graceful shutdown of multiplexing: request that a mux server
removes its listener socket and refuse future multiplexing requests;
ok markus@
Damien Miller [Thu, 5 May 2011 04:06:15 +0000 (14:06 +1000)]
- stevesk@cvs.openbsd.org 2011/03/23 15:16:22
[ssh-keygen.1 ssh-keygen.c]
Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa)
for which host keys do not exist, generate the host keys with the
default key file path, an empty passphrase, default bits for the key
type, and default comment. This will be used by /etc/rc to generate
new host keys. Idea from deraadt.
ok deraadt
Damien Miller [Thu, 5 May 2011 04:04:50 +0000 (14:04 +1000)]
- djm@cvs.openbsd.org 2011/03/10 11:34:25
[auth.h]
allow GSSAPI authentication to detect when a server-side failure causes
authentication failure and don't count such failures against MaxAuthTries;
bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
Damien Miller [Thu, 5 May 2011 04:04:11 +0000 (14:04 +1000)]
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2011/03/10 02:52:57
[auth2-gss.c auth2.c]
allow GSSAPI authentication to detect when a server-side failure causes
authentication failure and don't count such failures against MaxAuthTries;
bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
Damien Miller [Thu, 5 May 2011 03:48:37 +0000 (13:48 +1000)]
- (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac]
[entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c]
[ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c]
[ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh]
[regress/README.regress] Remove ssh-rand-helper and all its
tentacles. PRNGd seeding has been rolled into entropy.c directly.
Thanks to tim@ for testing on affected platforms.
Darren Tucker [Mon, 21 Feb 2011 10:41:29 +0000 (21:41 +1100)]
- (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the
Cygwin-specific service installer script ssh-host-config. The actual
functionality is the same, the revisited version is just more
exact when it comes to check for problems which disallow to run
certain aspects of the script. So, part of this script and the also
rearranged service helper script library "csih" is to check if all
the tools required to run the script are available on the system.
The new script also is more thorough to inform the user why the
script failed. Patch from vinschen at redhat com.
Damien Miller [Thu, 17 Feb 2011 22:18:45 +0000 (09:18 +1100)]
- djm@cvs.openbsd.org 2011/02/16 00:31:14
[ssh-keysign.c]
make hostbased auth with ECDSA keys work correctly. Based on patch
by harvey.eneman AT oracle.com in bz#1858; ok markus@ (pre-lock)
projects / thirdparty / openssh-portable.git / log
