djm [Mon, 19 May 2008 22:57:06 +0000 (22:57 +0000)]
- (djm) [configure.ac mux.c sftp.c openbsd-compat/Makefile.in]
[openbsd-compat/fmt_scaled.c openbsd-compat/openbsd-compat.h]
Fix compilation on Linux, including pulling in fmt_scaled(3)
implementation from OpenBSD's libutil.
djm [Mon, 19 May 2008 06:07:45 +0000 (06:07 +0000)]
- pvalchev@cvs.openbsd.org 2008/05/12 20:52:20
[umac.c]
Ensure nh_result lies on a 64-bit boundary (fixes warnings observed
on Itanium on Linux); from Dale Talcott (bug #1462); ok djm@
djm [Mon, 19 May 2008 06:06:47 +0000 (06:06 +0000)]
- markus@cvs.openbsd.org 2008/05/09 16:21:13
[channels.h clientloop.c nchan.c serverloop.c]
unbreak
ssh -2 localhost od /bin/ls | true
ignoring SIGPIPE by adding a new channel message (EOW) that signals
the peer that we're not interested in any data it might send.
fixes bz #85; discussion, debugging and ok djm@
djm [Mon, 19 May 2008 06:05:41 +0000 (06:05 +0000)]
- markus@cvs.openbsd.org 2008/05/09 16:17:51
[channels.c]
error-fd race: don't enable the error fd in the select bitmask
for channels with both in- and output closed, since the channel
will go away before we call select();
report, lots of debugging help and ok djm@
djm [Mon, 19 May 2008 06:04:56 +0000 (06:04 +0000)]
- markus@cvs.openbsd.org 2008/05/09 16:16:06
[session.c]
re-add the USE_PIPES code and enable it.
without pipes shutdown-read from the sshd does not trigger
a SIGPIPE when the forked program does a write.
ok djm@
(Id sync only, USE_PIPES never left portable OpenSSH)
djm [Mon, 19 May 2008 06:00:08 +0000 (06:00 +0000)]
- djm@cvs.openbsd.org 2008/05/09 14:18:44
[clientloop.c clientloop.h ssh.c mux.c]
tidy up session multiplexing code, moving it into its own file and
making the function names more consistent - making ssh.c and
clientloop.c a fair bit more readable.
ok markus@
djm [Mon, 19 May 2008 05:37:09 +0000 (05:37 +0000)]
- djm@cvs.openbsd.org 2008/05/09 04:55:56
[channels.c channels.h clientloop.c serverloop.c]
Try additional addresses when connecting to a port forward destination
whose DNS name resolves to more than one address. The previous behaviour
was to try the first address and give up.
djm [Mon, 19 May 2008 05:35:33 +0000 (05:35 +0000)]
- djm@cvs.openbsd.org 2008/05/08 13:06:11
[clientloop.c clientloop.h ssh.c]
Use new channel status confirmation callback system to properly deal
with "important" channel requests that fail, in particular command exec,
shell and subsystem requests. Previously we would optimistically assume
that the requests would always succeed, which could cause hangs if they
did not (e.g. when the server runs out of fds) or were unimplemented by
the server (bz #1384)
Also, properly report failing multiplex channel requests via the mux
client stderr (subject to LogLevel in the mux master) - better than
silently failing.
most bits ok markus@ (as part of a larger diff)
djm [Mon, 19 May 2008 05:34:50 +0000 (05:34 +0000)]
- djm@cvs.openbsd.org 2008/05/08 12:21:16
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
[sshd_config sshd_config.5]
Make the maximum number of sessions run-time controllable via
a sshd_config MaxSessions knob. This is useful for disabling
login/shell/subsystem access while leaving port-forwarding working
(MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the
number of available file descriptors in sshd (which, at peak, might be
as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
on error paths, and make it fail gracefully on out-of-fd conditions -
sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
djm [Mon, 19 May 2008 05:05:07 +0000 (05:05 +0000)]
- djm@cvs.openbsd.org 2008/05/08 12:02:23
[auth-options.c auth1.c channels.c channels.h clientloop.c gss-serv.c]
[monitor.c monitor_wrap.c nchan.c servconf.c serverloop.c session.c]
[ssh.c sshd.c]
Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).
Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.
ok markus@ (as part of a larger diff)
djm [Mon, 19 May 2008 04:59:37 +0000 (04:59 +0000)]
- markus@cvs.openbsd.org 2008/05/08 06:59:01
[bufaux.c buffer.h channels.c packet.c packet.h]
avoid extra malloc/copy/free when receiving data over the net;
~10% speedup for localhost-scp; ok djm@
djm [Mon, 19 May 2008 04:57:41 +0000 (04:57 +0000)]
- pyr@cvs.openbsd.org 2008/05/07 05:49:37
[servconf.c servconf.h session.c sshd_config.5]
Enable the AllowAgentForwarding option in sshd_config (global and match
context), to specify if agents should be permitted on the server.
As the man page states:
``Note that disabling Agent forwarding does not improve security
unless users are also denied shell access, as they can always install
their own forwarders.''
ok djm@, ok and a mild frown markus@
djm [Mon, 19 May 2008 04:53:33 +0000 (04:53 +0000)]
- djm@cvs.openbsd.org 2008/04/18 12:32:11
[sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c sftp.h]
introduce sftp extension methods statvfs@openssh.com and
fstatvfs@openssh.com that implement statvfs(2)-like operations,
based on a patch from miklos AT szeredi.hu (bz#1399)
also add a "df" command to the sftp client that uses the
statvfs@openssh.com to produce a df(1)-like display of filesystem
space and inode utilisation
ok markus@
djm [Mon, 19 May 2008 04:50:00 +0000 (04:50 +0000)]
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2008/04/13 00:22:17
[dh.c sshd.c]
Use arc4random_buf() when requesting more than a single word of output
Use arc4random_uniform() when the desired random number upper bound
is not a power of two
ok deraadt@ millert@
djm [Mon, 19 May 2008 04:27:42 +0000 (04:27 +0000)]
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2008/04/04 05:14:38
[sshd_config.5]
ChrootDirectory is supported in Match blocks (in fact, it is most useful
there). Spotted by Minstrel AT minstrel.org.uk
- markus@cvs.openbsd.org 2008/04/02 15:36:51
[channels.c]
avoid possible hijacking of x11-forwarded connections (back out 1.183)
CVE-2008-1483; ok djm@
djm [Thu, 27 Mar 2008 00:26:56 +0000 (00:26 +0000)]
- djm@cvs.openbsd.org 2008/03/24 21:46:54
[regress/sftp-badcmds.sh]
disable no-replace rename test now that we prefer a POSIX rename; spotted
by dkrause@
djm [Thu, 27 Mar 2008 00:02:02 +0000 (00:02 +0000)]
- djm@cvs.openbsd.org 2008/03/25 11:58:02
[session.c sshd_config.5]
ignore ~/.ssh/rc if a sshd_config ForceCommand is specified;
from dtucker@ ok deraadt@ djm@
djm [Thu, 27 Mar 2008 00:01:15 +0000 (00:01 +0000)]
- deraadt@cvs.openbsd.org 2008/03/24 16:11:07
[monitor_fdpass.c]
msg_controllen has to be CMSG_SPACE so that the kernel can account for
each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This
works now that kernel fd passing has been fixed to accept a bit of
sloppiness because of this ABI repair.
lots of discussion with kettenis
djm [Wed, 26 Mar 2008 23:59:57 +0000 (23:59 +0000)]
- djm@cvs.openbsd.org 2008/03/23 12:54:01
[sftp-client.c]
prefer POSIX-style file renaming over filexfer rename behaviour if the
server supports the posix-rename@openssh.com extension.
Note that the old (filexfer) behaviour would refuse to clobber an
existing file. Users who depended on this should adjust their sftp(1)
usage.
ok deraadt@ markus@
djm [Wed, 26 Mar 2008 23:54:44 +0000 (23:54 +0000)]
- deraadt@cvs.openbsd.org 2008/03/15 16:19:02
[monitor_fdpass.c]
Repair the simple cases for msg_controllen where it should just be
CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because
of alignment; ok kettenis hshoexer
djm [Wed, 26 Mar 2008 23:53:23 +0000 (23:53 +0000)]
- deraadt@cvs.openbsd.org 2008/03/13 01:49:53
[monitor_fdpass.c]
Correct CMSG_SPACE and CMSG_LEN usage everywhere in the tree. Due to
an extensive discussion with otto, kettenis, millert, and hshoexer
djm [Wed, 26 Mar 2008 23:50:21 +0000 (23:50 +0000)]
- jmc@cvs.openbsd.org 2008/02/11 07:58:28
[ssh.1 sshd.8 sshd_config.5]
bump Mdocdate for pages committed in "febuary", necessary because
of a typo in rcs.c;
dtucker [Wed, 26 Mar 2008 20:27:20 +0000 (20:27 +0000)]
- (dtucker) Cache selinux status earlier so we know if it's enabled after a
chroot. Allows ChrootDirectory to work with selinux support compiled in
but not enabled. Using it with selinux enabled will require some selinux
support inside the chroot. "looks sane" djm@
djm [Fri, 14 Mar 2008 22:25:54 +0000 (22:25 +0000)]
- (djm) [regress/test-exec.sh] Quote putty-related variables in case they are
empty; report and patch from Peter Stuge
- (djm) [regress/test-exec.sh] Silence noise from detection of putty
commands; report from Peter Stuge
tim [Fri, 14 Mar 2008 17:39:17 +0000 (17:39 +0000)]
- (tim) [regress/sftp-cmds.sh] s/cd/lcd/ in lls test. Reported by
vinschen at redhat.com. Add () to put echo commands in subshell for lls test
I mistakenly left out of last commit.
djm [Wed, 12 Mar 2008 13:17:00 +0000 (13:17 +0000)]
- djm@cvs.openbsd.org 2007/12/21 04:13:53
[regress/Makefile regress/test-exec.sh regress/putty-ciphers.sh]
[regress/putty-kex.sh regress/putty-transfer.sh regress/ssh2putty.sh]
basic (crypto, kex and transfer) interop regression tests against putty
To run these, install putty and run "make interop-tests" from the build
directory - the tests aren't run by default yet.
djm [Wed, 12 Mar 2008 12:59:43 +0000 (12:59 +0000)]
- djm@cvs.openbsd.org 2007/12/12 05:04:03
[regress/sftp-cmds.sh]
unbreak lls command and add a regress test that would have caught the
breakage; spotted by mouring@
NB. sftp code change already committed.
djm [Wed, 12 Mar 2008 12:58:55 +0000 (12:58 +0000)]
- jmc@cvs.openbsd.org 2007/11/25 15:35:09
[regress/agent-getpeereid.sh regress/agent.sh]
more existant -> existent, from Martynas Venckus;
pfctl changes: ok henning
ssh changes: ok deraadt
dtucker [Tue, 11 Mar 2008 11:58:25 +0000 (11:58 +0000)]
- (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: Move
pam_open_session and pam_close_session into the privsep monitor, which
will ensure that pam_session_close is called as root. Patch from Tomas
Mraz.
dtucker [Sun, 9 Mar 2008 11:50:50 +0000 (11:50 +0000)]
- (dtucker) [configure.ac] Run stack-protector tests with -Werror to catch
platforms where gcc understands the option but it's not supported (and
thus generates a warning).
dtucker [Sun, 9 Mar 2008 06:10:09 +0000 (06:10 +0000)]
- (dtucker) [openbsd-compat/regress/strtonumtest.c] Bug #1347: Use platform's
equivalent of LLONG_MAX for the compat regression tests, which makes them
run on AIX and HP-UX. Patch from David Leonard.
dtucker [Sun, 9 Mar 2008 05:36:55 +0000 (05:36 +0000)]
- (dtucker) [openbsd-compat/port-aix.{c,h}] Remove AIX specific initgroups
implementation. It's not needed to fix bug #1081 and breaks the build
on some AIX configurations.
dtucker [Sun, 9 Mar 2008 00:34:23 +0000 (00:34 +0000)]
- (dtucker) [configure.ac] It turns out gcc's -fstack-protector-all doesn't
always work for all platforms and versions, so test what we can and
add a configure flag to turn it of if needed. ok djm@
djm [Fri, 7 Mar 2008 07:35:26 +0000 (07:35 +0000)]
- deraadt@cvs.openbsd.org 2008/03/02 18:19:35
[monitor_fdpass.c]
use a union to ensure alignment of the cmsg (pay attention: various other
parts of the tree need this treatment too); ok djm
djm [Fri, 7 Mar 2008 07:33:53 +0000 (07:33 +0000)]
- djm@cvs.openbsd.org 2008/02/27 20:21:15
[sftp-server.c]
add an extension method "posix-rename@openssh.com" to perform POSIX atomic
rename() operations. based on patch from miklos AT szeredi.hu in bz#1400;
ok dtucker@ markus@
djm [Fri, 7 Mar 2008 07:33:30 +0000 (07:33 +0000)]
- dtucker@cvs.openbsd.org 2008/02/22 20:44:02
[clientloop.c packet.c packet.h serverloop.c]
Allow all SSH2 packet types, including UNIMPLEMENTED to reset the
keepalive timer (bz #1307). ok markus@
djm [Fri, 7 Mar 2008 07:33:12 +0000 (07:33 +0000)]
- djm@cvs.openbsd.org 2008/02/22 05:58:56
[session.c]
closefrom() call was too early, delay it until just before we execute
the user's rc files (if any).
djm [Fri, 7 Mar 2008 07:31:47 +0000 (07:31 +0000)]
- mbalmer@cvs.openbsd.org 2008/02/14 13:10:31
[sshd.c]
When started in configuration test mode (-t) do not check that sshd is
being started with an absolute path.
ok djm
djm [Fri, 7 Mar 2008 07:27:58 +0000 (07:27 +0000)]
- jmc@cvs.openbsd.org 2008/02/11 07:58:28
[ssh.1 sshd.8 sshd_config.5]
bump Mdocdate for pages committed in "febuary", necessary because
of a typo in rcs.c;
dtucker [Fri, 29 Feb 2008 02:57:47 +0000 (02:57 +0000)]
- (dtucker) [openbsd-compat/bsd-poll.c] We don't check for select(2) in
configure (and there's not much point, as openssh won't work without it)
so HAVE_SELECT is not defined and the poll(2) compat code doesn't get
built in. Remove HAVE_SELECT so we can build on platforms without poll.
dtucker [Thu, 28 Feb 2008 12:16:04 +0000 (12:16 +0000)]
- (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Bug #1081: Implement
getgrouplist via getgrset on AIX, rather than iterating over getgrent.
This allows, eg, Match and AllowGroups directives to work with NIS and
LDAP groups.
dtucker [Thu, 28 Feb 2008 08:13:52 +0000 (08:13 +0000)]
- (dtucker) [includes.h ssh-add.c ssh-agent.c ssh-keygen.c ssh.c sshd.c
openbsd-compat/openssl-compat.{c,h}] Bug #1437 Move the OpenSSL compat
header to after OpenSSL headers, since some versions of OpenSSL have
SSLeay_add_all_algorithms as a macro already.
dtucker [Mon, 25 Feb 2008 10:05:04 +0000 (10:05 +0000)]
- (dtucker) [configure.ac audit-bsm.c] Bug #1420: Add a local implementation
of aug_get_machine for systems that don't have their own (eg OS X, FreeBSD). Help and testing from csjp at FreeBSD org, vgiffin at apple com. ok djm@
dtucker [Mon, 25 Feb 2008 09:21:20 +0000 (09:21 +0000)]
- (dtucker) [openbsd-compat/fake-rfc2553.h] rename ssh_gai_strerror hack
since it now conflicts with the helper function in misc.c. From
vinschen AT redhat.com.
dtucker [Mon, 25 Feb 2008 09:18:31 +0000 (09:18 +0000)]
20080224
- (tim) [contrib/cygwin/ssh-host-config]
Grammar changes on SYSCONFDIR LOCALSTATEDIR messages.
Check more thoroughly that it's possible to create the /var/empty directory.
Patch by vinschen AT redhat.com
tim [Sat, 23 Feb 2008 22:47:37 +0000 (22:47 +0000)]
[contrib/cygwin/ssh-host-config]
Grammar changes on SYSCONFDIR LOCALSTATEDIR messages.
Check more thoroughly that it's possible to create the /var/empty directory.
Patch by vinschen AT redhat.com
djm [Sun, 10 Feb 2008 11:48:55 +0000 (11:48 +0000)]
- djm@cvs.openbsd.org 2008/02/10 10:54:29
[servconf.c session.c]
delay ~ expansion for ChrootDirectory so it expands to the logged-in user's
home, rather than the user who starts sshd (probably root)