Damien Miller [Tue, 27 Oct 2020 05:46:31 +0000 (16:46 +1100)]
Remove checks for strict POSIX mkdtemp()
We needed a mkdtemp() that accepted template paths that did not
end in XXXXXX a long time ago for KRB4, but that code is long
deprecated. We no longer need to replace mkdtemp() for strictly
following POSIX. ok dtucker@
djm@openbsd.org [Wed, 14 Oct 2020 00:55:17 +0000 (00:55 +0000)]
upstream: make UpdateHostkeys still more conservative: refuse to
proceed if one of the keys offered by the server is already in known_hosts
under another name. This avoid collisions between address entries for
different host aliases when CheckHostIP=yes
Also, do not attempt to fix known_hosts with incomplete host/ip matches
when there are no new or deprecated hostkeys.
Philip Hands [Sat, 3 Oct 2020 22:15:46 +0000 (00:15 +0200)]
shift contents of long $() into filter_ids()
This was prompted by the fact that posh does not deal with $()
that contains comments where the comment includes an odd number
of single-quotes. It seems to get befuddled into trying to find
the matching quote.
Regardless, making a function for filtering the unneeded ids
seems much neater than avoiding apostrophes,
so that's what I've done.
djm@openbsd.org [Sun, 11 Oct 2020 22:14:38 +0000 (22:14 +0000)]
upstream: UpdateHostkeys: check for keys under other names
Stop UpdateHostkeys from automatically removing deprecated keys from
known_hosts files if the same keys exist under a different name or
address to the host that is being connected to.
This avoids UpdateHostkeys from making known_hosts inconsistent in
some cases. For example, multiple host aliases sharing address-based
known_hosts on different lines, or hosts that resolves to multiple
addresses.
When preparing to update the known_hosts file, fully check both
entries for both the host and the address (if CheckHostIP enabled)
and ensure that, at the end of the operation, entries for both are
recorded.
Make sure this works with HashKnownHosts too, which requires maintaining
a list of entry-types seen across the whole file for each key.
Disable UpdateHostkeys if the known_hosts line has more than two
entries in the pattern-list. ssh(1) only writes "host" or "host,ip"
lines so anything else was added by a different tool or by a human.
djm@openbsd.org [Wed, 7 Oct 2020 02:26:28 +0000 (02:26 +0000)]
upstream: Disable UpdateHostkeys when hostkey checking fails
If host key checking fails (i.e. a wrong host key is recorded for the
server) and the user elects to continue (via StrictHostKeyChecking=no),
then disable UpdateHostkeys for the session.
When all of UpdateHostkeys, HashKnownHosts and ChechHostIP
were enabled and new host keys were learned, known_hosts IP
entries were not being recorded for new host keys.
djm@openbsd.org [Sat, 3 Oct 2020 09:22:26 +0000 (09:22 +0000)]
upstream: There are lots of place where we want to redirect stdin,
stdout and/or stderr to /dev/null. Factor all these out to a single
stdfd_devnull() function that allows selection of which of these to redirect.
ok markus@
djm@openbsd.org [Sat, 3 Oct 2020 08:11:28 +0000 (08:11 +0000)]
upstream: record when the host key checking code downgrades a
certificate host key to a plain key. This occurs when the user connects to a
host with a certificate host key but no corresponding CA key configured in
known_hosts; feedback and ok markus@
upstream: split introductory paragraph, and insert ominous words about
the glob issue, which cannot be fully fixed and really requires completely
replacing scp with a completely different subsystem. team effort to find the
right words..
Damien Miller [Fri, 18 Sep 2020 04:55:48 +0000 (14:55 +1000)]
control over the colours in gnome-ssh-askpass[23]
Optionally set the textarea colours via $GNOME_SSH_ASKPASS_FG_COLOR and
$GNOME_SSH_ASKPASS_BG_COLOR. These accept the usual three or six digit
hex colours.
Damien Miller [Fri, 18 Sep 2020 04:50:38 +0000 (14:50 +1000)]
focus improvement for gnome-ssh-askpass[23]
When serving a SSH_ASKPASS_PROMPT=none information dialog, ensure
then <enter> doesn't immediately close the dialog. Instead, require an
explicit <tab> to reach the close button, or <esc>.
The `aclocal' step is skipped during `autoreconf' because aclocal.m4 is
present.
Move the current aclocal.m4 which contains local macros into the m4/
folder. With this change the aclocal.m4 will be re-created during
changes to the m4/ macro.
This is needed so the `aclocal' can fetch m4 macros from the system if
they are references in the configure script. This is a prerequisite to
use PKG_CHECK_MODULES.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
BROKEN_MMAP is no longer defined since commit 1cfd5c06efb12 ("Remove portability support for mmap")
this commit also removed other HAVE_MMAP user. I didn't find anything
that defines HAVE_MMAP. The check does not trigger because compression
on server side is by default COMP_DELAYED (2) so it never triggers.
Remove remaining HAVE_MMAP and BROKEN_MMAP bits.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
upstream: Check that the addresses supplied to Match Address and
Match LocalAddress are valid when parsing in config-test mode. This will
catch address/mask mismatches before they cause problems at runtime. Found by
Daniel Stocker, ok djm@
djm@openbsd.org [Thu, 27 Aug 2020 01:08:45 +0000 (01:08 +0000)]
upstream: Request PIN ahead of time for certain FIDO actions
When we know that a particular action will require a PIN, such as
downloading resident keys or generating a verify-required key, request
the PIN before attempting it.
djm@openbsd.org [Thu, 27 Aug 2020 01:08:19 +0000 (01:08 +0000)]
upstream: preserve verify-required for resident FIDO keys
When downloading a resident, verify-required key from a FIDO token,
preserve the verify-required in the private key that is written to
disk. Previously we weren't doing that because of lack of support
in the middleware API.
djm@openbsd.org [Thu, 27 Aug 2020 01:07:51 +0000 (01:07 +0000)]
upstream: major rework of FIDO token selection logic
When PINs are in use and multiple FIDO tokens are attached to a host, we
cannot just blast requests at all attached tokens with the PIN specified
as this will cause the per-token PIN failure counter to increment. If
this retry counter hits the token's limit (usually 3 attempts), then the
token will lock itself and render all (web and SSH) of its keys invalid.
We don't want this.
So this reworks the key selection logic for the specific case of
multiple keys being attached. When multiple keys are attached and the
operation requires a PIN, then the user must touch the key that they
wish to use first in order to identify it.
This may require multiple touches, but only if there are multiple keys
attached AND (usually) the operation requires a PIN. The usual case of a
single key attached should be unaffected.
projects / thirdparty / openssh-portable.git / log
