dtucker [Fri, 8 Jan 2010 05:53:31 +0000 (05:53 +0000)]
- andreas@cvs.openbsd.org 2009/10/24 11:22:37
[roaming_common.c]
Do the actual suspend/resume in the client. This won't be useful until
the server side supports roaming.
Most code from Martin Forssen, maf at appgate dot com. Some changes by
me and markus@
ok markus@
dtucker [Fri, 8 Jan 2010 05:51:40 +0000 (05:51 +0000)]
- andreas@cvs.openbsd.org 2009/10/24 11:15:29
[clientloop.c]
client_loop() must detect if the session has been suspended and resumed,
and take appropriate action in that case.
From Martin Forssen, maf at appgate dot com
ok markus@
dtucker [Fri, 8 Jan 2010 05:50:41 +0000 (05:50 +0000)]
- andreas@cvs.openbsd.org 2009/10/24 11:13:54
[sshconnect2.c kex.h kex.c]
Let the client detect if the server supports roaming by looking
for the resume@appgate.com kex algorithm.
ok markus@
dtucker [Sun, 20 Dec 2009 23:49:21 +0000 (23:49 +0000)]
- (dtucker) [auth-krb5.c platform.{c,h} openbsd-compat/port-aix.{c,h}]
Bug #1583: Use system's kerberos principal name on AIX if it's available.
Based on a patch from and tested by Miguel Sanders.
djm [Fri, 20 Nov 2009 04:16:35 +0000 (04:16 +0000)]
- (djm) [ssh-rand-helper.c] Print error and usage() when passed command-
line arguments as none are supported. Exit when passed unrecognised
commandline flags. bz#1568 from gson AT araneus.fi
djm [Wed, 18 Nov 2009 06:48:30 +0000 (06:48 +0000)]
- (djm) [channels.c misc.c misc.h sshd.c] add missing setsockopt() to
set IPV6_V6ONLY for local forwarding with GatwayPorts=yes. Unify
setting IPV6_V6ONLY behind a new function misc.c:sock_set_v6only()
report and fix from jan.kratochvil AT redhat.com
dtucker [Sat, 24 Oct 2009 04:04:12 +0000 (04:04 +0000)]
- (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinux
is enabled set the security context to "sftpd_t" before running the
internal sftp server Based on a patch from jchadima at redhat.
dtucker [Sat, 24 Oct 2009 00:47:58 +0000 (00:47 +0000)]
- djm@cvs.openbsd.org 2009/10/23 01:57:11
[sshconnect2.c]
disallow a hostile server from checking jpake auth by sending an
out-of-sequence success message. (doesn't affect code enabled by default)
dtucker [Sat, 24 Oct 2009 00:46:43 +0000 (00:46 +0000)]
- djm@cvs.openbsd.org 2009/10/22 22:26:13
[authfile.c]
switch from 3DES to AES-128 for encryption of passphrase-protected
SSH protocol 2 private keys; ok several
dtucker [Sat, 24 Oct 2009 00:42:44 +0000 (00:42 +0000)]
- sobrado@cvs.openbsd.org 2009/10/22 15:02:12
[ssh-agent.1 ssh-add.1 ssh.1]
write UNIX-domain in a more consistent way; while here, replace a
few remaining ".Tn UNIX" macros with ".Ux" ones.
pointed out by ratchov@, thanks!
ok jmc@
dtucker [Sat, 24 Oct 2009 00:40:32 +0000 (00:40 +0000)]
- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2009/10/11 23:03:15
[hostfile.c]
mention the host name that we are looking for in check_host_in_hostfile()
dtucker [Sun, 11 Oct 2009 10:52:10 +0000 (10:52 +0000)]
- dtucker@cvs.openbsd.org 2009/10/11 10:41:26
[sftp-client.c]
d_type isn't portable so use lstat to get dirent modes. Suggested by and
"looks sane" deraadt@
dtucker [Sun, 11 Oct 2009 10:51:40 +0000 (10:51 +0000)]
- jmc@cvs.openbsd.org 2009/10/08 20:42:12
[sshd_config.5 ssh_config.5 sshd.8 ssh.1]
some tweaks now that protocol 1 is not offered by default; ok markus
dtucker [Sun, 11 Oct 2009 10:51:08 +0000 (10:51 +0000)]
- (dtucker) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2009/10/08 14:03:41
[sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5]
disable protocol 1 by default (after a transition period of about 10 years)
ok deraadt
dtucker [Sun, 11 Oct 2009 10:50:20 +0000 (10:50 +0000)]
- (dtucker) [configure.ac sftp-client.c] Remove the gyrations required for
dirent d_type and DTTOIF as we've switched OpenBSD to the more portable
lstat.
dtucker [Tue, 6 Oct 2009 23:46:29 +0000 (23:46 +0000)]
- djm@cvs.openbsd.org 2009/08/20 18:43:07
[ssh-com-sftp.sh]
fix one sftp -D ... => sftp -P ... conversion that I missed; from Carlos
Silva for Google Summer of Code
dtucker [Tue, 6 Oct 2009 23:43:57 +0000 (23:43 +0000)]
- djm@cvs.openbsd.org 2009/08/13 01:11:55
[sftp-batch.sh sftp-badcmds.sh sftp.sh sftp-cmds.sh sftp-glob.sh]
date: 2009/08/13 01:11:19; author: djm; state: Exp; lines: +10 -7
Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
add "-P port" to match scp(1). Fortunately, the -P option is only really
used by our regression scripts.
part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
of Code work; ok deraadt markus
dtucker [Tue, 6 Oct 2009 23:31:56 +0000 (23:31 +0000)]
- djm@cvs.openbsd.org 2009/08/13 00:57:17
[regress/Makefile]
regression test for port number parsing. written as part of the a2port
change that went into 5.2 but I forgot to commit it at the time...
dtucker [Tue, 6 Oct 2009 23:30:57 +0000 (23:30 +0000)]
- dtucker@cvs.openbsd.org 2009/05/05 07:51:36
[regress/multiplex.sh]
Always specify ssh_config for multiplex tests: prevents breakage caused
by options in ~/.ssh/config. From Dan Peterson.
dtucker [Tue, 6 Oct 2009 23:30:06 +0000 (23:30 +0000)]
- djm@cvs.openbsd.org 2008/12/07 22:17:48
[regress/addrmatch.sh]
match string "passwordauthentication" only at start of line, not anywhere
in sshd -T output
dtucker [Tue, 6 Oct 2009 22:02:18 +0000 (22:02 +0000)]
- djm@cvs.openbsd.org 2009/10/06 04:46:40
[session.c]
bz#1596: fflush(NULL) before exec() to ensure that everying (motd
in particular) has made it out before the streams go away.
dtucker [Tue, 6 Oct 2009 22:01:03 +0000 (22:01 +0000)]
- djm@cvs.openbsd.org 2009/09/01 14:43:17
[ssh-agent.c]
fix a race condition in ssh-agent that could result in a wedged or
spinning agent: don't read off the end of the allocated fd_sets, and
don't issue blocking read/write on agent sockets - just fall back to
select() on retriable read/write errors. bz#1633 reported and tested
by "noodle10000 AT googlemail.com"; ok dtucker@ markus@
dtucker [Tue, 6 Oct 2009 21:47:02 +0000 (21:47 +0000)]
- djm@cvs.openbsd.org 2009/08/27 17:44:52
[authfd.c ssh-add.c authfd.h]
Do not fall back to adding keys without contraints (ssh-add -c / -t ...)
when the agent refuses the constrained add request. This was a useful
migration measure back in 2002 when constraints were new, but just
adds risk now.
bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@
dtucker [Tue, 6 Oct 2009 21:46:21 +0000 (21:46 +0000)]
- djm@cvs.openbsd.org 2009/08/27 17:43:00
[sftp-server.8]
allow setting an explicit umask on the commandline to override whatever
default the user has. bz#1229; ok dtucker@ deraadt@ markus@
dtucker [Tue, 6 Oct 2009 21:45:48 +0000 (21:45 +0000)]
- djm@cvs.openbsd.org 2009/08/27 17:33:49
[ssh-keygen.c]
force use of correct hash function for random-art signature display
as it was inheriting the wrong one when bubblebabble signatures were
activated; bz#1611 report and patch from fwojcik+openssh AT besh.com;
ok markus@
dtucker [Tue, 6 Oct 2009 21:44:42 +0000 (21:44 +0000)]
- djm@cvs.openbsd.org 2009/08/27 17:28:52
[sftp-server.c]
allow setting an explicit umask on the commandline to override whatever
default the user has. bz#1229; ok dtucker@ deraadt@ markus@
dtucker [Tue, 6 Oct 2009 21:37:48 +0000 (21:37 +0000)]
- djm@cvs.openbsd.org 2009/08/18 18:36:21
[sftp-client.h sftp.1 sftp-client.c sftp.c]
recursive transfer support for get/put and on the commandline
work mostly by carlosvsilvapt@gmail.com for the Google Summer of Code
with some tweaks by me; "go for it" deraadt@
dtucker [Tue, 6 Oct 2009 21:24:19 +0000 (21:24 +0000)]
- djm@cvs.openbsd.org 2009/08/14 18:17:49
[sftp-client.c]
make the "get_handle: ..." error messages vaguely useful by allowing
callers to specify their own error message strings.
dtucker [Tue, 6 Oct 2009 21:23:06 +0000 (21:23 +0000)]
- djm@cvs.openbsd.org 2009/08/13 01:11:19
[sftp.1 sftp.c]
Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
add "-P port" to match scp(1). Fortunately, the -P option is only really
used by our regression scripts.
part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
of Code work; ok deraadt markus
dtucker [Tue, 6 Oct 2009 21:21:48 +0000 (21:21 +0000)]
- djm@cvs.openbsd.org 2009/08/12 00:13:00
[sftp.c sftp.1]
support most of scp(1)'s commandline arguments in sftp(1), as a first
step towards making sftp(1) a drop-in replacement for scp(1).
One conflicting option (-P) has not been changed, pending further
discussion.
Patch from carlosvsilvapt@gmail.com as part of his work in the
Google Summer of Code
- (dtucker) [configure.ac] Change the -lresolv check so it works on Mac OS X
10.6 (which doesn't have BIND8_COMPAT and thus uses res_9_query). Patch
from jbasney at ncsa uiuc edu.
- (dtucker) [configure.ac] Bug #1639: use AC_PATH_PROG to search the path for
krb5-config if it's not in the location specified by --with-kerberos5.
Patch from jchadima at redhat.
dtucker [Fri, 28 Aug 2009 01:21:06 +0000 (01:21 +0000)]
- (dtucker) [clientloop.c configure.ac defines.h] Make the client's IO buffer
size a compile-time option and set it to 64k on Cygwin, since Corinna
reports that it makes a significant difference to performance. ok djm@
dtucker [Fri, 28 Aug 2009 01:02:37 +0000 (01:02 +0000)]
- (dtucker) [channels.c configure.ac] Bug #1528: skip the tcgetattr call on
the pty master on Solaris, since it never succeeds and can hang if large
amounts of data is sent to the slave (eg a copy-paste). Based on a patch
originally from Doke Scott, ok djm@
djm [Fri, 28 Aug 2009 00:40:30 +0000 (00:40 +0000)]
- (djm) [sshd_config.5] downgrade mention of login.conf to be an example
and mention PAM as another provider for ChallengeResponseAuthentication;
bz#1408; ok dtucker@
dtucker [Thu, 20 Aug 2009 06:20:50 +0000 (06:20 +0000)]
- (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move
the setpcred call on AIX to immediately before the permanently_set_uid().
Ensures that we still have privileges when we call chroot and
pam_open_sesson. Based on a patch from David Leonard.
dtucker [Thu, 20 Aug 2009 06:16:01 +0000 (06:16 +0000)]
- (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not
using it since the type conflicts can cause problems on FreeBSD. Patch
from Jonathan Chen.
dtucker [Sun, 16 Aug 2009 23:35:22 +0000 (23:35 +0000)]
- (dtucker) [configure.ac] Check for headers before libraries for openssl an
zlib, which should make the errors slightly more meaningful on platforms
where there's separate "-devel" packages for those.
- (dtucker) [openbsd-compat/getrrsetbyname.c] Reduce answer buffer size so it
fits into 16 bits to work around a bug in glibc's resolver where it masks
off the buffer size at 16 bits. Patch from Hauke Lampe, ok djm jakob.
- dtucker@cvs.openbsd.org 2009/07/02 02:11:47
[ssh.c]
allow for long home dir paths (bz #1615). ok deraadt
(based in part on a patch from jchadima at redhat)
- andreas@cvs.openbsd.org 2009/06/27 09:35:06
[readconf.h readconf.c]
Add client option UseRoaming. It doesn't do anything yet but will
control whether the client tries to use roaming if enabled on the
server. From Martin Forssen.
ok markus@
- andreas@cvs.openbsd.org 2009/06/27 09:32:43
[roaming_common.c roaming.h]
It may be necessary to retransmit some data when resuming, so add it
to a buffer when roaming is enabled.
Most of this code was written by Martin Forssen, maf at appgate dot com.
ok markus@
- andreas@cvs.openbsd.org 2009/06/27 09:29:06
[packet.h packet.c]
packet_bacup_state() and packet_restore_state() will be used to
temporarily save the current state ren resuming a suspended connection.
ok markus@
dtucker [Mon, 22 Jun 2009 06:11:06 +0000 (06:11 +0000)]
- dtucker@cvs.openbsd.org 2009/06/22 05:39:28
[monitor_wrap.c monitor_mm.c ssh-keygen.c auth2.c gss-genr.c sftp-client.c]
alphabetize includes; reduces diff vs portable and style(9).
ok stevesk djm
(Id sync only; these were already in order in -portable)
dtucker [Sun, 21 Jun 2009 09:08:48 +0000 (09:08 +0000)]
- dtucker@cvs.openbsd.org 2009/06/21 09:04:03
[roaming.h roaming_common.c roaming_dummy.c]
Add tags for the benefit of the sync scripts
Also: pull in the changes for 1.1->1.2 missed in the previous sync.
dtucker [Sun, 21 Jun 2009 09:00:20 +0000 (09:00 +0000)]
- dtucker@cvs.openbsd.org 2009/06/21 07:37:15
[kexdhs.c kexgexs.c]
abort if key_sign fails, preventing possible null deref. Based on report
from Paolo Ganci, ok markus@ djm@