djm@openbsd.org [Mon, 18 Dec 2017 23:16:23 +0000 (23:16 +0000)]
upstream commit
unbreak hostkey rotation; attempting to sign with a
desired signature algorithm of kex->hostkey_alg is incorrect when the key
type isn't capable of making those signatures. ok markus@
Add helper function for uri handing in scp where a
missing path simply means ".". Also fix exit code and add warnings when an
invalid uri is encountered. OK otto@
djm@openbsd.org [Mon, 18 Dec 2017 02:25:15 +0000 (02:25 +0000)]
upstream commit
pass negotiated signing algorithm though to
sshkey_verify() and check that the negotiated algorithm matches the type in
the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
Create a persistent umac128.c source file: #define the
output size and the name of the entry points for UMAC-128 before including
umac.c. Idea from FreeBSD. ok dtucker@
ssh/lib hasn't worked towards our code-sharing goals for
a quit while, perhaps it is too verbose? Change each */Makefile to
specifying exactly what sources that program requires, compiling it seperate.
Maybe we'll iterate by sorting those into seperatable chunks, splitting up
files which contain common code + server/client specific code, or whatnot.
But this isn't one step, or we'd have done it a long time ago.. ok dtucker
markus djm
Replace atoi and strtol conversions for integer arguments
to config keywords with a checking wrapper around strtonum. This will
prevent and flag invalid and negative arguments to these keywords. ok djm@
Have sftp print a warning about shell cleanliness when
decoding the first packet fails, which is usually caused by shells polluting
stdout of non-interactive starups. bz#2800, ok markus@ deraadt@.
Darren Tucker [Fri, 1 Dec 2017 06:11:47 +0000 (17:11 +1100)]
Replace mkinstalldirs with mkdir -p.
Check for MIKDIR_P and use it instead of mkinstalldirs. Should fix "mkdir:
cannot create directory:... File exists" during "make install".
Patch from eb at emlix.com.
Add monotime_ts and monotime_tv that return monotonic
timespec and timeval respectively. Replace calls to gettimeofday() in packet
timing with monotime_tv so that the callers will work over a clock step.
Should prevent integer overflow during clock steps reported by wangle6 at
huawei.com. "I like" markus@
downgrade a couple more request parsing errors from
process-fatal to just returning failure, making them consistent with the
others that were already like that.
reuse parse_multistate for parse_flag (yes/no arguments).
Saves a few lines of code and makes the parser more consistent wrt case-
sensitivity. bz#2664 ok dtucker@
allow "cd" and "lcd" commands with no explicit path
argument. lcd will change to the local user's home directory as usual. cd
will change to the starting directory for session (because the protocol
offers no way to obtain the remote user's home directory). bz#2760 ok
dtucker@
When doing a config test with sshd -T, only require the
attributes that are actually used in Match criteria rather than (an
incomplete list of) all criteria. ok djm@, man page help jmc@
Darren Tucker [Mon, 30 Oct 2017 23:09:33 +0000 (10:09 +1100)]
Include includes.h for HAVE_GETPAGESIZE.
The configure script checks for getpagesize() and sets HAVE_GETPAGESIZE in
config.h, but bsd-getpagesize.c forgot to include includes.h (which
indirectly includes config.h) so the checks always fails, causing linker
issues when linking statically on systems with getpagesize().
Patch from Peter Korsgaard <peter at korsgaard.com>
Use printenv to test whether an SSH_USER_AUTH is set
instead of using $SSH_USER_AUTH. The latter won't work with csh which treats
unknown variables as an error when expanding them. OK markus@
Damien Miller [Mon, 30 Oct 2017 13:46:29 +0000 (00:46 +1100)]
Switch upstream git repository.
Previously portable OpenSSH has synced against a conversion of OpenBSD's
CVS repository made using the git cvsimport tool, but this has become
increasingly unreliable.
As of this commit, portable OpenSSH now tracks a conversion of the
OpenBSD CVS upstream made using the excellent cvs2gitdump tool from
YASUOKA Masahiko: https://github.com/yasuoka/cvs2gitdump
cvs2gitdump is considerably more reliable than gitcvsimport and the old
version of cvsps that it uses under the hood, and is the same tool used
to export the entire OpenBSD repository to git (so we know it can cope
with future growth).
These new conversions are mirrored at github, so interested parties can
match portable OpenSSH commits to their upstream counterparts.
An unfortunate side effect of switching upstreams is that we must have
a flag day, across which the upstream commit IDs will be inconsistent.
The old commit IDs are recorded with the tags "Upstream-ID" for main
directory commits and "Upstream-Regress-ID" for regress commits.
To make it clear that the commit IDs do not refer to the same
things, the new repository will instead use "OpenBSD-ID" and
"OpenBSD-Regress-ID" tags instead.
Apart from being a longwinded explanation of what is going on, this
commit message also serves to synchronise our tools with the state of
the tree, which happens to be:
djm@openbsd.org [Wed, 25 Oct 2017 00:21:37 +0000 (00:21 +0000)]
upstream commit
transfer ownership of stdout to the session channel by
dup2'ing /dev/null to fd 1. This allows propagation of remote stdout close to
the local side; reported by David Newall, ok markus@
djm@openbsd.org [Wed, 25 Oct 2017 00:19:47 +0000 (00:19 +0000)]
upstream commit
add a "rdomain" criteria for the sshd_config Match
keyword to allow conditional configuration that depends on which rdomain(4) a
connection was recevied on. ok markus@
djm@openbsd.org [Wed, 25 Oct 2017 00:17:08 +0000 (00:17 +0000)]
upstream commit
add sshd_config RDomain keyword to place sshd and the
subsequent user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)
djm@openbsd.org [Mon, 23 Oct 2017 05:08:00 +0000 (05:08 +0000)]
upstream commit
Expose devices allocated for tun/tap forwarding.
At the client, the device may be obtained from a new %T expansion
for LocalCommand.
At the server, the allocated devices will be listed in a
SSH_TUNNEL variable exposed to the environment of any user sessions
started after the tunnel forwarding was established.
Add URI support to ssh, sftp and scp. For example
ssh://user@host or sftp://user@host/path. The connection parameters
described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since
the ssh fingerprint format in the draft uses md5 with no way to specify the
hash function type. OK djm@
projects / thirdparty / openssh-portable.git / log
