Darren Tucker [Mon, 21 Feb 2011 10:42:00 +0000 (21:42 +1100)]
- (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the
Cygwin-specific service installer script ssh-host-config. The actual
functionality is the same, the revisited version is just more
exact when it comes to check for problems which disallow to run
certain aspects of the script. So, part of this script and the also
rearranged service helper script library "csih" is to check if all
the tools required to run the script are available on the system.
The new script also is more thorough to inform the user why the
script failed. Patch from vinschen at redhat com.
Damien Miller [Fri, 4 Feb 2011 00:43:04 +0000 (11:43 +1100)]
20110128
- (djm) [openbsd-compat/port-linux.c] Check whether SELinux is enabled
before attempting setfscreatecon(). Check whether matchpathcon()
succeeded before using its result. Patch from cjwatson AT debian.org;
bz#1851
Damien Miller [Fri, 4 Feb 2011 00:42:11 +0000 (11:42 +1100)]
cherry-pick
20110125
- (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c
openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to
port-linux.c to avoid compilation errors. Add -lselinux to ssh when
building with SELinux support to avoid linking failure; report from
amk AT spamfence.net; ok dtucker
Damien Miller [Thu, 27 Jan 2011 23:30:18 +0000 (10:30 +1100)]
- (djm) [openbsd-compat/port-linux.c] Check whether SELinux is enabled
before attempting setfscreatecon(). Check whether matchpathcon()
succeeded before using its result. Patch from cjwatson AT debian.org;
bz#1851
Damien Miller [Tue, 25 Jan 2011 01:16:15 +0000 (12:16 +1100)]
- (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c
openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to
port-linux.c to avoid compilation errors. Add -lselinux to ssh when
building with SELinux support to avoid linking failure; report from
amk AT spamfence.net; ok dtucker
Darren Tucker [Fri, 21 Jan 2011 22:37:01 +0000 (09:37 +1100)]
- (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add
RSA_get_default_method() for the benefit of openssl versions that don't
have it (at least openssl-engine-0.9.6b). Found and tested by Kevin Brott,
ok djm@.
Damien Miller [Wed, 19 Jan 2011 12:12:27 +0000 (23:12 +1100)]
- (djm) [configure.ac] Disable ECC on OpenSSL <0.9.8g. Releases prior to
0.9.8 lacked it, and 0.9.8a through 0.9.8d have proven buggy in pre-
release testing (random crashes and failure to load ECC keys).
ok dtucker@
Darren Tucker [Mon, 17 Jan 2011 10:15:27 +0000 (21:15 +1100)]
- (dtucker) [LICENCE Makefile.in audit-bsm.c audit-linux.c audit.c audit.h
configure.ac defines.h loginrec.c] Bug #1402: add linux audit subsystem
support, based on patches from Tomas Mraz and jchadima at redhat.
Damien Miller [Mon, 17 Jan 2011 05:17:09 +0000 (16:17 +1100)]
- (djm) [configure.ac regress/agent-getpeereid.sh regress/multiplex.sh]
[regress/sftp-glob.sh regress/test-exec.sh] Rework how feature tests are
disabled on platforms that do not support them; add a "config_defined()"
shell function that greps for defines in config.h and use them to decide
on feature tests.
Convert a couple of existing grep's over config.h to use the new function
Add a define "FILESYSTEM_NO_BACKSLASH" for filesystem that can't represent
backslash characters in filenames, enable it for Cygwin and use it to turn
of tests for quotes backslashes in sftp-glob.sh.
based on discussion with vinschen AT redhat.com and dtucker@; ok dtucker@
Darren Tucker [Mon, 17 Jan 2011 00:55:59 +0000 (11:55 +1100)]
- (dtucker) [openbsd-compat/port-linux.c] Bug #1838: Add support for the new
Linux OOM-killer magic values that changed in 2.6.36 kernels, with fallback
to the old values. Feedback from vapier at gentoo org and djm, ok djm.
Damien Miller [Sun, 16 Jan 2011 23:51:40 +0000 (10:51 +1100)]
- (djm) [regress/Makefile] use $TEST_SSH_KEYGEN instead of the one in
$PATH, fix cleanup of droppings; reported by openssh AT
roumenpetrov.info; ok dtucker@
Damien Miller [Sun, 16 Jan 2011 12:18:33 +0000 (23:18 +1100)]
- djm@cvs.openbsd.org 2011/01/16 12:05:59
[clientloop.c]
a couple more tweaks to the post-close protocol 1 stderr/stdout flush:
now that we use atomicio(), convert them from while loops to if statements
add test and cast to compile cleanly with -Wsigned
Damien Miller [Sun, 16 Jan 2011 12:16:53 +0000 (23:16 +1100)]
- djm@cvs.openbsd.org 2011/01/16 11:50:05
[clientloop.c]
Use atomicio when flushing protocol 1 std{out,err} buffers at
session close. This was a latent bug exposed by setting a SIGCHLD
handler and spotted by kevin.brott AT gmail.com; ok dtucker@
Damien Miller [Fri, 14 Jan 2011 03:47:37 +0000 (14:47 +1100)]
- (djm) [Makefile.in] Use shell test to disable ecdsa key generating in
host-key-force target rather than a substitution that is replaced with a
comment so that the Makefile.in is still a syntactically valid Makefile
(useful to run the distprep target)
Damien Miller [Fri, 14 Jan 2011 01:01:50 +0000 (12:01 +1100)]
- djm@cvs.openbsd.org 2011/01/13 21:55:25
[PROTOCOL.mux]
correct protocol names and add a couple of missing protocol number
defines; patch from bert.wesarg AT googlemail.com
Damien Miller [Thu, 13 Jan 2011 11:00:20 +0000 (22:00 +1100)]
- (djm) [myproposal.h] Fix reversed OPENSSL_VERSION_NUMBER test and bad
#define that was causing diffie-hellman-group-exchange-sha256 to be
incorrectly disabled
Damien Miller [Wed, 12 Jan 2011 05:00:37 +0000 (16:00 +1100)]
- (djm) [configure.ac] Fix broken test for gcc >= 4.4 with per-compiler
flag tests that don't depend on gcc version at all; suggested by and
ok dtucker@
Damien Miller [Wed, 12 Jan 2011 02:32:03 +0000 (13:32 +1100)]
- djm@cvs.openbsd.org 2011/01/12 01:53:14
avoid some integer overflows mostly with GLOB_APPEND and GLOB_DOOFFS
and sanity check arguments (these will be unnecessary when we switch
struct glob members from being type into to size_t in the future);
"looks ok" tedu@ feedback guenther@
Damien Miller [Wed, 12 Jan 2011 02:30:18 +0000 (13:30 +1100)]
- nicm@cvs.openbsd.org 2010/10/08 21:48:42
[openbsd-compat/glob.c]
Extend GLOB_LIMIT to cover readdir and stat and bump the malloc limit
from ARG_MAX to 64K.
Fixes glob-using programs (notably ftp) able to be triggered to hit
resource limits.
Idea from a similar NetBSD change, original problem reported by jasper@.
ok millert tedu jasper
Damien Miller [Tue, 11 Jan 2011 06:20:29 +0000 (17:20 +1100)]
- djm@cvs.openbsd.org 2011/01/11 06:13:10
[clientloop.c ssh-keygen.c sshd.c]
some unsigned long long casts that make things a bit easier for
portable without resorting to dropping PRIu64 formats everywhere
Damien Miller [Tue, 11 Jan 2011 06:20:05 +0000 (17:20 +1100)]
- djm@cvs.openbsd.org 2011/01/11 06:06:09
[sshlogin.c]
fd leak on error paths; from zinovik@
NB. Id sync only; we use loginrec.c that was also audited and fixed
recently
Damien Miller [Thu, 6 Jan 2011 22:54:20 +0000 (09:54 +1100)]
- djm@cvs.openbsd.org 2011/01/06 22:46:21
[regress/Makefile regress/host-expand.sh]
regress test for LocalCommand %n expansion from bert.wesarg AT
googlemail.com; ok markus@
Damien Miller [Thu, 6 Jan 2011 22:51:52 +0000 (09:51 +1100)]
- djm@cvs.openbsd.org 2011/01/06 22:23:02
[clientloop.c]
when exiting due to ServerAliveTimeout, mention the hostname that caused
it (useful with backgrounded controlmaster)
Damien Miller [Thu, 6 Jan 2011 11:43:44 +0000 (22:43 +1100)]
- djm@cvs.openbsd.org 2010/12/15 00:49:27
[readpass.c]
fix ControlMaster=ask regression
reset SIGCHLD handler before fork (and restore it after) so we don't miss
the the askpass child's exit status. Correct test for exit status/signal to
account for waitpid() failure; with claudio@ ok claudio@ markus@
Damien Miller [Thu, 6 Jan 2011 11:42:04 +0000 (22:42 +1100)]
- markus@cvs.openbsd.org 2010/12/14 11:59:06
[sshconnect.c]
don't mention key type in key-changed-warning, since we also print
this warning if a new key type appears. ok djm@
Damien Miller [Thu, 6 Jan 2011 11:40:30 +0000 (22:40 +1100)]
- markus@cvs.openbsd.org 2010/12/08 22:46:03
[scp.1 scp.c]
add a new -3 option to scp: Copies between two remote hosts are
transferred through the local host. Without this option the data
is copied directly between the two remote hosts. ok djm@ (bugzilla #1837)
Damien Miller [Mon, 3 Jan 2011 21:16:27 +0000 (08:16 +1100)]
- (djm) [configure.ac Makefile.in] Use mandoc as preferred manpage
formatter if it is present, followed by nroff and groff respectively.
Fixes distprep target on OpenBSD (which has bumped groff/nroff to ports
in favour of mandoc). feedback and ok tim
Damien Miller [Sun, 2 Jan 2011 10:53:07 +0000 (21:53 +1100)]
- (djm) [configure.ac] Check whether libdes is needed when building
with Heimdal krb5 support. On OpenBSD this library no longer exists,
so linking it unconditionally causes a build failure; ok dtucker
Damien Miller [Sun, 26 Dec 2010 03:26:45 +0000 (14:26 +1100)]
- djm@cvs.openbsd.org 2010/12/08 04:02:47
[ssh_config.5 sshd_config.5]
explain that IPQoS arguments are separated by whitespace; iirc requested
by jmc@ a while back
Darren Tucker [Sat, 4 Dec 2010 22:02:47 +0000 (09:02 +1100)]
- djm@cvs.openbsd.org 2010/12/04 00:18:01
[sftp-server.c sftp.1 sftp-client.h sftp.c PROTOCOL sftp-client.c]
add a protocol extension to support a hard link operation. It is
available through the "ln" command in the client. The old "ln"
behaviour of creating a symlink is available using its "-s" option
or through the preexisting "symlink" command; based on a patch from
miklos AT szeredi.hu in bz#1555; ok markus@
Darren Tucker [Sat, 4 Dec 2010 22:01:47 +0000 (09:01 +1100)]
- djm@cvs.openbsd.org 2010/12/03 23:55:27
[auth-rsa.c]
move check for revoked keys to run earlier (in auth_rsa_key_allowed)
bz#1829; patch from ldv AT altlinux.org; ok markus@
Darren Tucker [Sat, 4 Dec 2010 22:00:30 +0000 (09:00 +1100)]
- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/12/03 23:49:26
[schnorr.c]
check that g^x^q === 1 mod p; recommended by JPAKE author Feng Hao
(this code is still disabled, but apprently people are treating it as
a reference implementation)
Darren Tucker [Sat, 4 Dec 2010 12:20:50 +0000 (23:20 +1100)]
- (dtucker) [configure.ac moduli.c openbsd-compat/openssl-compat.{c,h}] Add
shims for the new, non-deprecated OpenSSL key generation functions for
platforms that don't have the new interfaces.
Damien Miller [Wed, 1 Dec 2010 01:21:51 +0000 (12:21 +1100)]
- djm@cvs.openbsd.org 2010/11/29 23:45:51
[auth.c hostfile.c hostfile.h ssh.c ssh_config.5 sshconnect.c]
[sshconnect.h sshconnect2.c]
automatically order the hostkeys requested by the client based on
which hostkeys are already recorded in known_hosts. This avoids
hostkey warnings when connecting to servers with new ECDSA keys
that are preferred by default; with markus@
Damien Miller [Wed, 1 Dec 2010 01:03:19 +0000 (12:03 +1100)]
- djm@cvs.openbsd.org 2010/11/26 05:52:49
[scp.c]
Pass through ssh command-line flags and options when doing remote-remote
transfers, e.g. to enable agent forwarding which is particularly useful
in this case; bz#1837 ok dtucker@
Damien Miller [Wed, 1 Dec 2010 01:02:35 +0000 (12:02 +1100)]
- djm@cvs.openbsd.org 2010/11/24 01:24:14
[channels.c]
remove a debug() that pollutes stderr on client connecting to a server
in debug mode (channel_close_fds is called transitively from the session
code post-fork); bz#1719, ok dtucker
Damien Miller [Wed, 1 Dec 2010 01:02:14 +0000 (12:02 +1100)]
- djm@cvs.openbsd.org 2010/11/23 23:57:24
[clientloop.c]
avoid NULL deref on receiving a channel request on an unknown or invalid
channel; report bz#1842 from jchadima AT redhat.com; ok dtucker@
Damien Miller [Wed, 1 Dec 2010 01:01:21 +0000 (12:01 +1100)]
- djm@cvs.openbsd.org 2010/11/21 10:57:07
[authfile.c]
Refactor internals of private key loading and saving to work on memory
buffers rather than directly on files. This will make a few things
easier to do in the future; ok markus@
projects / thirdparty / openssh-portable.git / log
