- djm@cvs.openbsd.org 2007/08/23 03:22:16
[auth2-none.c sshd_config sshd_config.5]
Support "Banner=none" to disable displaying of the pre-login banner;
ok dtucker@ deraadt@
- djm@cvs.openbsd.org 2007/08/23 02:49:43
[auth-passwd.c auth.c session.c]
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
NB. RCS ID sync only for portable
dtucker [Thu, 16 Aug 2007 23:42:32 +0000 (23:42 +0000)]
- (dtucker) [sshd.8] Many Linux variants use a single "!" to denote locked
accounts and that's what the code looks for, so make man page and code
agree. Pointed out by Roumen Petrov.
dtucker [Wed, 15 Aug 2007 09:13:41 +0000 (09:13 +0000)]
- markus@cvs.openbsd.org 2007/08/15 08:14:46
[clientloop.c]
do NOT fall back to the trused x11 cookie if generation of an untrusted
cookie fails; from security-alert at sun.com; ok dtucker
dtucker [Mon, 13 Aug 2007 13:11:56 +0000 (13:11 +0000)]
- (dtucker) [session.c] Bug #1339: ensure that pam_setcred() is always
called with PAM_ESTABLISH_CRED at least once, which resolves a problem
with pam_dhkeys. Patch from David Leonard, ok djm@
djm [Wed, 8 Aug 2007 04:32:41 +0000 (04:32 +0000)]
- djm@cvs.openbsd.org 2007/08/07 07:32:53
[clientloop.c clientloop.h ssh.c]
bz#1232: ensure that any specified LocalCommand is executed after the
tunnel device is opened. Also, make failures to open a tunnel device
fatal when ExitOnForwardFailure is active.
Reported by h.goebel AT goebel-consult.de; ok dtucker markus reyk deraadt
djm [Wed, 8 Aug 2007 04:29:58 +0000 (04:29 +0000)]
- sobrado@cvs.openbsd.org 2007/08/06 19:16:06
[scp.1 scp.c]
the ellipsis is not an optional argument; while here, sync the usage
and synopsis of commands
lots of good ideas by jmc@
ok jmc@
dtucker [Mon, 25 Jun 2007 12:15:12 +0000 (12:15 +0000)]
- (dtucker) [atomicio.c configure.ac openbsd-compat/Makefile.in
openbsd-compat/bsd-poll.{c,h} openbsd-compat/openbsd-compat.h]
Add an implementation of poll() built on top of select(2). Code from
OpenNTPD with changes suggested by djm. ok djm@
dtucker [Mon, 25 Jun 2007 09:04:46 +0000 (09:04 +0000)]
- dtucker@cvs.openbsd.org 2007/06/25 08:20:03
[channels.c]
Correct test for window updates every three packets; prevents sending
window updates for every single packet. ok markus@
dtucker [Mon, 25 Jun 2007 09:04:12 +0000 (09:04 +0000)]
- djm@cvs.openbsd.org 2007/06/19 02:04:43
[atomicio.c]
if the fd passed to atomicio/atomiciov() is non blocking, then poll() to
avoid a spin if it is not yet ready for reading/writing; ok dtucker@
dtucker [Mon, 25 Jun 2007 08:59:17 +0000 (08:59 +0000)]
- djm@cvs.openbsd.org 2007/06/14 22:48:05
[ssh.c]
when waiting for the multiplex exit status, read until the master end
writes an entire int of data *and* closes the client_fd; fixes mux
regression spotted by dtucker, ok dtucker@
dtucker [Thu, 14 Jun 2007 13:47:31 +0000 (13:47 +0000)]
- (dtucker) [openbsd-compat/openssl-compat.h] Remove redundant definition
of USE_BUILTIN_RIJNDAEL since the <0.9.6 test is covered by the
subsequent <0.9.7 test.
dtucker [Thu, 14 Jun 2007 13:21:32 +0000 (13:21 +0000)]
- (dtucker) [cipher-ctr.c umac.c openbsd-compat/openssl-compat.h] Move the
USE_BUILTIN_RIJNDAEL compat goop to openssl-compat.h so it can be
shared with umac.c. Allows building with OpenSSL 0.9.5 again including
umac support. With tim@ djm@, ok djm.
dtucker [Tue, 12 Jun 2007 14:02:07 +0000 (14:02 +0000)]
- dtucker@cvs.openbsd.org 2007/06/12 13:54:28
[scp.c]
Encode filename with strnvis if the name contains a newline (which can't
be represented in the scp protocol), from bz #891. ok markus@
dtucker [Tue, 12 Jun 2007 13:44:36 +0000 (13:44 +0000)]
- dtucker@cvs.openbsd.org 2007/06/12 11:56:15
[gss-genr.c]
Pass GSS OID to gss_display_status to provide better information in
error messages. Patch from Simon Wilkinson via bz 1220. ok djm@
dtucker [Tue, 12 Jun 2007 13:43:16 +0000 (13:43 +0000)]
- djm@cvs.openbsd.org 2007/06/12 11:15:17
[ssh.c ssh.1]
Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI)
and is useful for hosts with /home on Kerberised NFS; bz #1312
patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@
dtucker [Tue, 12 Jun 2007 13:41:33 +0000 (13:41 +0000)]
- djm@cvs.openbsd.org 2007/06/12 11:11:08
[ssh.c]
fix slave exit value when a control master goes away without passing the
full exit status by ensuring that the slave reads a full int. bz#1261
reported by frekko AT gmail.com; ok markus@ dtucker@
dtucker [Tue, 12 Jun 2007 13:41:06 +0000 (13:41 +0000)]
- djm@cvs.openbsd.org 2007/06/12 08:24:20
[scp.c]
make scp try to skip FIFOs rather than blocking when nothing is listening.
depends on the platform supporting sane O_NONBLOCK semantics for open
on FIFOs (apparently POSIX does not mandate this), which OpenBSD does.
bz #856; report by cjwatson AT debian.org; ok markus@
dtucker [Tue, 12 Jun 2007 13:40:39 +0000 (13:40 +0000)]
- djm@cvs.openbsd.org 2007/06/12 08:20:00
[ssh-gss.h gss-serv.c gss-genr.c]
relocate server-only GSSAPI code from libssh to server; bz #1225
patch from simon AT sxw.org.uk; ok markus@ dtucker@
dtucker [Tue, 12 Jun 2007 13:39:52 +0000 (13:39 +0000)]
- djm@cvs.openbsd.org 2007/06/12 07:41:00
[ssh-add.1]
better document ssh-add's -d option (delete identies from agent), bz#1224
new text based on some provided by andrewmc-debian AT celt.dias.ie;
ok dtucker@
djm [Mon, 11 Jun 2007 08:33:15 +0000 (08:33 +0000)]
- markus@cvs.openbsd.org 2007/06/11 08:04:44
[channels.c]
send 'window adjust' messages every tree packets and do not wait
until 50% of the window is consumed. ok djm dtucker
dtucker [Mon, 11 Jun 2007 04:44:02 +0000 (04:44 +0000)]
- (dtucker) [includes.h] Bug #1243: HAVE_PATHS -> HAVE_PATHS_H. Should
prevent warnings about redefinitions of various things in paths.h.
Spotted by cartmanltd at hotmail.com.
dtucker [Mon, 11 Jun 2007 04:34:53 +0000 (04:34 +0000)]
- (dtucker) [openbsd-compat/bsd-misc.c] According to the spec the "remainder"
argument to nanosleep may be NULL. Currently this never happens in OpenSSH,
but check anyway in case this changes or the code gets used elsewhere.
djm [Mon, 11 Jun 2007 04:07:12 +0000 (04:07 +0000)]
- jmc@cvs.openbsd.org 2007/06/08 07:48:09
[sshd_config.5]
oops, here too: put the MAC list into a display, like we do for
ciphers, since groff has trouble with wide lines;
djm [Mon, 11 Jun 2007 04:06:32 +0000 (04:06 +0000)]
- jmc@cvs.openbsd.org 2007/06/08 07:43:46
[ssh_config.5]
put the MAC list into a display, like we do for ciphers,
since groff has trouble handling wide lines;
djm [Mon, 11 Jun 2007 04:04:42 +0000 (04:04 +0000)]
- pvalchev@cvs.openbsd.org 2007/06/08 04:40:40
[ssh_config]
Add a "MACs" line after "Ciphers" with the default MAC algorithms,
to ease people who want to tweak both (eg. for performance reasons).
ok deraadt@ djm@ dtucker@
djm [Mon, 11 Jun 2007 04:01:42 +0000 (04:01 +0000)]
- pvalchev@cvs.openbsd.org 2007/06/07 19:37:34
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1]
[ssh_config.5 sshd.8 sshd_config.5]
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet,
must specify umac-64@openssh.com). Provides about 20% end-to-end speedup
compared to hmac-md5. Represents a different approach to message
authentication to that of HMAC that may be beneficial if HMAC based on
one of its underlying hash algorithms is found to be vulnerable to a
new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
dtucker [Tue, 5 Jun 2007 08:30:18 +0000 (08:30 +0000)]
- djm@cvs.openbsd.org 2007/06/05 06:52:37
[kex.c monitor_wrap.c packet.c mac.h kex.h mac.c]
Preserve MAC ctx between packets, saving 2xhash calls per-packet.
Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm
committing at his request)
dtucker [Tue, 5 Jun 2007 08:27:13 +0000 (08:27 +0000)]
- jmc@cvs.openbsd.org 2007/05/31 19:20:16
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1
ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8]
convert to new .Dd format;
(We will need to teach mdoc2man.awk to understand this too.)
dtucker [Sun, 20 May 2007 05:10:16 +0000 (05:10 +0000)]
- djm@cvs.openbsd.org 2007/05/17 20:52:13
[monitor.c]
pass received SIGINT from monitor to postauth child so it can clean
up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com;
ok markus@
dtucker [Sun, 20 May 2007 05:09:42 +0000 (05:09 +0000)]
- djm@cvs.openbsd.org 2007/05/17 20:48:13
[sshconnect2.c]
fall back to gethostname() when the outgoing connection is not
on a socket, such as is the case when ProxyCommand is used.
Gives hostbased auth an opportunity to work; bz#616, report
and feedback stuart AT kaloram.com; ok markus@
dtucker [Sun, 20 May 2007 05:09:04 +0000 (05:09 +0000)]
- djm@cvs.openbsd.org 2007/05/17 07:55:29
[sftp-server.c]
bz#1286 stop reading and processing commands when input or output buffer
is nearly full, otherwise sftp-server would happily try to grow the
input/output buffers past the maximum supported by the buffer API and
promptly fatal()
based on patch from Thue Janus Kristensen; feedback & ok dtucker@
dtucker [Sun, 20 May 2007 04:59:32 +0000 (04:59 +0000)]
- stevesk@cvs.openbsd.org 2007/04/18 01:12:43
[sftp-server.c]
cast "%llu" format spec to (unsigned long long); do not assume a
u_int64_t arg is the same as 'unsigned long long'.
from Dmitry V. Levin <ldv@altlinux.org>
ok markus@ 'Yes, that looks correct' millert@
- (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1299: Use the
platform's _res if it has one. Should fix problem of DNSSEC record lookups
on NetBSD as reported by Curt Sampson.