- dtucker@cvs.openbsd.org 2006/07/21 12:43:36
[channels.c channels.h servconf.c servconf.h sshd_config.5]
Make PermitOpen take a list of permitted ports and act more like most
other keywords (ie the first match is the effective setting). This
also makes it easier to override a previously set PermitOpen. ok djm@
- dtucker@cvs.openbsd.org 2006/07/19 13:07:10
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
Add ForceCommand keyword to sshd_config, equivalent to the "command="
key option, man page entry and example in sshd_config.
Feedback & ok djm@, man page corrections & ok jmc@
- dtucker@cvs.openbsd.org 2006/07/19 08:56:41
[servconf.c sshd_config.5]
Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to
Match. ok djm@
- dtucker@cvs.openbsd.org 2006/07/17 12:06:00
[channels.c channels.h servconf.c sshd_config.5]
Add PermitOpen directive to sshd_config which is equivalent to the
"permitopen" key option. Allows server admin to allow TCP port
forwarding only two specific host/port pairs. Useful when combined
with Match.
If permitopen is used in both sshd_config and a key option, both
must allow a given connection before it will be permitted.
Note that users can still use external forwarders such as netcat,
so to be those must be controlled too for the limits to be effective.
Feedback & ok djm@, man page corrections & ok jmc@.
- dtucker@cvs.openbsd.org 2006/07/12 11:34:58
[sshd.c servconf.h servconf.c sshd_config.5 auth.c]
Add support for conditional directives to sshd_config via a "Match"
keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section
if the condition on the Match line is true, eg
AllowTcpForwarding yes
Match User anoncvs
AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
- markus@cvs.openbsd.org 2006/07/11 18:50:48
[clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c
channels.h readconf.c]
add ExitOnForwardFailure: terminate the connection if ssh(1)
cannot set up all requested dynamic, local, and remote port
forwardings. ok djm, dtucker, stevesk, jmc
- dtucker@cvs.openbsd.org 2006/07/11 10:12:07
[ssh.c]
Only copy the part of environment variable that we actually use. Prevents
ssh bailing when SendEnv is used and an environment variable with a really
long value exists. ok djm@
- stevesk@cvs.openbsd.org 2006/07/10 16:01:57
[sftp-glob.c sftp-common.h sftp.c]
buffer.h only needed in sftp-common.h and remove some unneeded
user includes; ok djm@
- (dtucker) [configure.ac defines.h] Only define SHUT_RD (and friends) and O_NONBLOCK
if they're really needed. Fixes build errors on HP-UX, old Linuxes and probably
more.
- (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c
openbsd-compat/daemon.c] Add includes needed by open(2). Conditionally
include paths.h. Fixes build error on Solaris.
- (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c
openbsd-compat/daemon.c] Add includes needed by open(2). Conditionally
include paths.h. Fixes build error on Solaris.
- dtucker@cvs.openbsd.org 2006/07/10 12:46:51
[misc.c misc.h sshd.8 sshconnect.c]
Add port identifier to known_hosts for non-default ports, based originally
on a patch from Devin Nate in bz#910.
For any connection using the default port or using a HostKeyAlias the
format is unchanged, otherwise the host name or address is enclosed
within square brackets in the same format as sshd's ListenAddress.
Tested by many, ok markus@.
- djm@cvs.openbsd.org 2006/07/10 12:03:20
[scp.c]
duplicate argv at the start of main() because it gets modified later;
pointed out by deraadt@ ok markus@
- stevesk@cvs.openbsd.org 2006/07/03 17:59:32
[channels.c includes.h]
move #include <arpa/inet.h> out of includes.h; old ok djm@
(portable needed session.c too)
- stevesk@cvs.openbsd.org 2006/07/02 18:36:47
[gss-serv-krb5.c gss-serv.c]
no "servconf.h" needed here
(gss-serv-krb5.c change not applied, portable needs the server options)
- stevesk@cvs.openbsd.org 2006/07/02 17:12:58
[ssh.1 ssh.c ssh_config.5 sshd_config.5]
more details and clarity for tun(4) device forwarding; ok and help
jmc@
- djm@cvs.openbsd.org 2006/06/26 10:36:15
[clientloop.c]
mention optional bind_address in runtime port forwarding setup
command-line help. patch from santhi.amirta AT gmail.com
- (dtucker) [configure.ac] Try AIX blibpath test in different order when
compiling with gcc. gcc 4.1.x will accept (but ignore) -b flags so
configure would not select the correct libpath linker flags.
dtucker [Sat, 24 Jun 2006 02:10:07 +0000 (02:10 +0000)]
- (dtucker) [configure.ac] Bug #1193: Define PASSWD_NEEDS_USERNAME on Solaris.
Works around limitation in Solaris' passwd program for changing passwords
where the username is longer than 8 characters. ok djm@
dtucker [Fri, 23 Jun 2006 11:24:12 +0000 (11:24 +0000)]
- (dtucker) [channels.c configure.ac serverloop.c] Bug #1102: Around AIX
4.3.3 ML3 or so, the AIX pty layer starting passing zero-length writes
on the pty slave as zero-length reads on the pty master, which sshd
interprets as the descriptor closing. Since most things don't do zero
length writes this rarely matters, but occasionally it happens, and when
it does the SSH pty session appears to hang, so we add a special case for
this condition. ok djm@
dtucker [Fri, 23 Jun 2006 11:05:12 +0000 (11:05 +0000)]
- (dtucker) [README.platform configure.ac openbsd-compat/port-tun.c] Add
tunnel support for Mac OS X/Darwin via a third-party tun driver. Patch
from reyk@, tested by anil@
djm [Tue, 13 Jun 2006 03:10:18 +0000 (03:10 +0000)]
- djm@cvs.openbsd.org 2006/06/13 01:18:36
[ssh-agent.c]
always use a format string, even when printing a constant
- djm@cvs.openbsd.org 2006/06/13 02:17:07
[ssh-agent.c]
revert; i am on drugs. spotted by alexander AT beard.se
djm [Tue, 13 Jun 2006 03:01:09 +0000 (03:01 +0000)]
- dtucker@cvs.openbsd.org 2006/05/29 12:56:33
[ssh_config]
Add GSSAPIAuthentication and GSSAPIDelegateCredentials to examples in sample
ssh_config. ok markus@
djm [Tue, 13 Jun 2006 02:59:53 +0000 (02:59 +0000)]
- djm@cvs.openbsd.org 2006/05/08 10:49:48
[sshconnect2.c]
uint32_t -> u_int32_t (which we use everywhere else)
(Id sync only - portable already had this)
dtucker [Sun, 21 May 2006 08:26:40 +0000 (08:26 +0000)]
- (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor
and slave, we can remove the special-case handling in the audit hook in
auth_log.