CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/05/21 22:20:00 Modified files: regress/usr.bin/ssh: rekey.sh Log message: this test has been broken since 2014, and has been testing the same key exchange algorithm repeatedly instead of testing all of them. Spotted by nreilly AT blackberry.com in bz3692 Who broke the test? me.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/05/16 22:42:13 Modified files: usr.bin/ssh: auth2-gss.c Log message: g/c unused variable
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/05/16 19:45:22 Modified files: regress/usr.bin/ssh: test-exec.sh Log message: allow overriding the sshd-session binary path
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/05/16 19:17:40 Modified files: usr.bin/ssh: servconf.c Log message: fix incorrect debug option name introduce in previous commit
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/05/16 18:30:24 Modified files: usr.bin/ssh: Makefile Makefile.inc auth-rhosts.c auth.c auth.h auth2-gss.c auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c auth2.c channels.c kex.c kex.h kexgexs.c misc.c misc.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h msg.c packet.c packet.h pathnames.h servconf.c servconf.h serverloop.c session.c ssh_api.c sshd.c usr.bin/ssh/sshd: Makefile Added files: usr.bin/ssh: sshd-session.c usr.bin/ssh/sshd-session: Makefile Log message: Start the process of splitting sshd into separate binaries. This step splits sshd into a listener and a session binary. More splits are planned. After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs. This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary. feedback/ok markus@ deraadt@ NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/05/16 18:22:02 src/usr.bin/ssh/sshd-session Update of /cvs/src/usr.bin/ssh/sshd-session In directory cvs.openbsd.org:/tmp/cvs-serv70148/sshd-session Log Message: Directory /cvs/src/usr.bin/ssh/sshd-session added to the repository
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/05/09 03:46:47 Modified files: usr.bin/ssh: clientloop.c Log message: simplify exit message handling, which was more complicated than it needed to be because of unexpunged ssh1 remnants. ok markus@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/05/07 17:40:53 Modified files: lib/libc/asr : getrrsetbyname_async.c Log message: avoid memcpy(malloc(0), ..., 0), which is not portable. ok florian@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/04/30 00:23:51 Modified files: usr.bin/ssh: sftp-server.c Log message: fix home-directory extension implementation, it always returned the current user's home directory contrary to the spec. Patch from Jakub Jelen via GHPR477
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/04/30 00:16:55 Modified files: usr.bin/ssh: sftp.c Log message: flush stdout after writing "sftp>" prompt when not using editline. >From Alpine Linux via GHPR480
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/04/29 23:53:03 Modified files: usr.bin/ssh: ssh-keysign.c Log message: stricter validation of messaging socket fd number; disallow usage of stderr. Based on GHPR492 by RealHurrison
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/04/29 23:45:56 Modified files: usr.bin/ssh: PROTOCOL.agent Log message: add missing reserved fields to key constraint protocol documentation. from Wiktor Kwapisiewicz via GHPR487
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/04/29 20:14:10 Modified files: usr.bin/ssh: clientloop.c serverloop.c Log message: correctly restore sigprocmask around ppoll() reported by Tõivo Leedjärv; ok deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/04/29 20:10:49 Modified files: usr.bin/ssh: clientloop.c sshconnect.c sshconnect.h Log message: add explict check for server hostkey type against HostkeyAlgorithms. Allows HostkeyAlgorithms to disable implicit fallback from certificate keys to plain keys. ok markus@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/03/29 23:56:22 Modified files: usr.bin/ssh: PROTOCOL.key Log message: in OpenSSH private key format, correct type for subsequent private keys in blob. From Jakub Jelen via GHPR430
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/03/29 22:27:44 Modified files: usr.bin/ssh: readpass.c Log message: allow WAYLAND_DISPLAY to enable SSH_ASKPASS >From dkg via GHPR479; ok dtucker@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/03/25 13:28:09 Modified files: regress/usr.bin/ssh/unittests/kex: test_kex.c Log message: optional debugging
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: d...@cvs.openbsd.org2024/03/23 12:46:47 Modified files: . : 75.html Log message: add openssh bits
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: d...@cvs.openbsd.org2024/03/11 04:39:58 Modified files: build : Makefile build/mirrors : openssh-ftp.html.head openssh: ftp.html index.html openbsd.html releasenotes.html openssh/txt: release-9.7 Log message: openssh-9.7
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: d...@cvs.openbsd.org2024/03/11 04:36:58 Added files: openssh/txt: release-9.7 Log message: release notes for OpenSSH 9.7
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/03/10 22:59:47 Modified files: usr.bin/ssh: version.h Log message: openssh-9.7
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/03/08 22:12:13 Modified files: usr.bin/ssh: ssh-agent.c Log message: avoid logging in signal handler by converting mainloop to ppoll() bz3670, reported by Ben Hamilton; ok dtucker@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/03/08 15:16:32 Modified files: usr.bin/ssh: sshsig.c Log message: skip more whitespace, fixes find-principals on allowed_signers files with blank lines; reported by Wiktor Kwapisiewicz
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/03/05 19:59:59 Modified files: usr.bin/ssh: channels.c Log message: fix memory leak in mux proxy mode when requesting forwarding. found by RASU JSC, reported by Maks Mishin in GHPR#467
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/03/05 17:31:04 Modified files: usr.bin/ssh: ssh-agent.c Log message: wrap a few PKCS#11-specific bits in ENABLE_PKCS11
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/03/03 21:13:18 Modified files: usr.bin/ssh: readconf.c Log message: fix leak of CanonicalizePermittedCNAMEs on error path; spotted by Coverity (CID 438039)
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/03/03 19:16:11 Modified files: usr.bin/ssh: misc.c misc.h readconf.c readconf.h servconf.c Log message: Separate parsing of string array options from applying them to the active configuration. This fixes the config parser from erroneously rejecting cases like: AuthenticationMethods password Match User ivy AuthenticationMethods any bz3657 ok markus@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/02/20 23:17:29 Modified files: usr.bin/ssh: sshd_config.5 Log message: explain arguments of internal-sftp GHPR#454 from Niklas Hambüchen
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/02/20 23:06:43 Modified files: usr.bin/ssh: sshd_config.5 Log message: clarify permissions requirements for ChrootDirectory Part of GHPR#454 from Niklas Hambüchen
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/02/20 23:05:06 Modified files: usr.bin/ssh: sshd_config.5 Log message: .Cm for a keyword. Part of GHPR#454 from Niklas Hambüchen
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/02/20 23:01:13 Modified files: usr.bin/ssh: ssh_config.5 Log message: fix typo in match directive predicate (s/tagged/tag) GHPR#462 from Tobias Manske
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/02/20 22:57:34 Modified files: usr.bin/ssh: clientloop.c Log message: fix proxy multiplexing mode, broken when keystroke timing obfuscation was added. GHPR#463 from montag451
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/02/19 21:10:03 Modified files: usr.bin/ssh: servconf.c Log message: don't append a gratuitous space to the end of subsystem arguments; bz3667
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/02/01 17:13:34 Modified files: usr.bin/ssh: kex.h Log message: whitespace
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/01/31 19:37:34 Modified files: usr.bin/ssh: gss-genr.c nchan.c session.c sftp.c sshbuf-getput-crypto.c Log message: whitespace
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/01/10 21:50:28 Modified files: regress/usr.bin/ssh: Makefile Log message: don't disable RSA test when DSA is disabled; bug introduced in last commit
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/01/10 18:51:16 Modified files: usr.bin/ssh: ssh-keysign.c Log message: ensure key_fd is filled when DSA is disabled; spotted by tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/01/10 18:45:59 Modified files: regress/usr.bin/ssh: Makefile regress/usr.bin/ssh/unittests: Makefile.inc regress/usr.bin/ssh/unittests/hostkeys: test_iterate.c regress/usr.bin/ssh/unittests/kex: test_kex.c regress/usr.bin/ssh/unittests/sshkey: test_file.c test_fuzz.c test_sshkey.c regress/usr.bin/ssh/unittests/sshsig: tests.c Log message: make DSA testing optional, defaulting to on ok markus
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/01/10 18:45:36 Modified files: usr.bin/ssh: Makefile.inc readconf.c readconf.h ssh-add.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c sshconnect.c sshkey.c Log message: make DSA key support compile-time optional, defaulting to on ok markus@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/01/09 15:19:36 Modified files: regress/usr.bin/ssh: channel-timeout.sh Log message: extend ChannelTimeout regression test to exercise multiplexed connections and the new "global" timeout type. ok dtucker@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/01/09 15:19:00 Modified files: usr.bin/ssh: channels.c ssh_config.5 sshd_config.5 Log message: add a "global" ChannelTimeout type to ssh(1) and sshd(8) that watches all open channels and will close all open channels if there is no traffic on any of them for the specified interval. This is in addition to the existing per-channel timeouts added a few releases ago. This supports use-cases like having a session + x11 forwarding channel open where one may be idle for an extended period but the other is actively used. The global timeout would allow closing both channels when both have been idle for too long. ok dtucker@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/01/09 14:39:14 Modified files: usr.bin/ssh: ssh_api.c Log message: adapt ssh_api.c code for kex-strict from markus@ ok me
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/01/07 22:11:18 Modified files: usr.bin/ssh: PROTOCOL.mux Log message: Remove outdated note from PROTOCOL.mux Port forward close by control master is already implemented by `mux_master_process_close_fwd` in `mux.c` GHPR442 from bigb4ng
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/01/07 22:05:15 Modified files: usr.bin/ssh: PROTOCOL Log message: fix missing field in users-groups-by...@openssh.com reply documentation GHPR441 from TJ Saunders
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/01/07 21:10:03 Modified files: usr.bin/ssh: PROTOCOL Log message: make kex-strict section more explicit about its intent: banning all messages not strictly required in KEX
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/01/07 17:34:34 Modified files: usr.bin/ssh: kex.c sshconnect2.c sshd.c Log message: remove ext-info-* in the kex.c code, not in callers; with/ok markus@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2024/01/07 17:30:39 Modified files: usr.bin/ssh: ssh-add.c Log message: fix typo; spotted by Albert Chin
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/12/18 23:41:14 Modified files: usr.bin/ssh: PROTOCOL Log message: correct section numbers; from Ed Maste
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: d...@cvs.openbsd.org2023/12/18 15:30:48 Modified files: openssh: index.html Log message: fix link target
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/12/18 08:58:56 Modified files: usr.bin/ssh: ssh-agent.c Log message: match flag type (s/int/u_int)
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: d...@cvs.openbsd.org2023/12/18 08:32:20 Modified files: openssh: releasenotes.html Log message: typo
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: d...@cvs.openbsd.org2023/12/18 08:32:02 Modified files: openssh/txt: release-9.6 Log message: typo
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: d...@cvs.openbsd.org2023/12/18 08:07:18 Modified files: build : Makefile build/mirrors : openssh-ftp.html.head openssh: ftp.html index.html openbsd.html releasenotes.html security.html openssh/txt: release-9.6 Log message: openssh-9.6
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: d...@cvs.openbsd.org2023/12/18 08:04:58 Added files: openssh/txt: release-9.6 Log message: openssh-9.6 release notes
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/12/18 07:50:08 Modified files: regress/usr.bin/ssh: Makefile Added files: regress/usr.bin/ssh: agent-pkcs11-cert.sh Log message: regress test for agent PKCS#11-backed certificates
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/12/18 07:49:39 Modified files: regress/usr.bin/ssh: Makefile Added files: regress/usr.bin/ssh: agent-pkcs11-restrict.sh Log message: regress test for constrained PKCS#11 keys
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/12/18 07:48:44 Modified files: usr.bin/ssh: version.h Log message: openssh-9.6
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/12/18 07:48:09 Modified files: usr.bin/ssh: ssh-agent.c Log message: ssh-agent: record failed session-bind attempts Record failed attempts to session-bind a connection and refuse signing operations on that connection henceforth. Prevents a future situation where we add a new hostkey type that is not recognised by an older ssh-agent, that consequently causes session-bind to fail (this situation is only likely to arise when people mix ssh(1) and ssh-agent(1) of different versions on the same host). Previously, after such a failure the agent socket would be considered unbound and not subject to restriction. Spotted by Jann Horn
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/12/18 07:47:44 Modified files: usr.bin/ssh: ssh.c Log message: ban user/hostnames with most shell metacharacters This makes ssh(1) refuse user or host names provided on the commandline that contain most shell metacharacters. Some programs that invoke ssh(1) using untrusted data do not filter metacharacters in arguments they supply. This could create interactions with user-specified ProxyCommand and other directives that allow shell injection attacks to occur. It's a mistake to invoke ssh(1) with arbitrary untrusted arguments, but getting this stuff right can be tricky, so this should prevent most obvious ways of creating risky situations. It however is not and cannot be perfect: ssh(1) has no practical way of interpreting what shell quoting rules are in use and how they interact with the user's specified ProxyCommand. To allow configurations that use strange user or hostnames to continue to work, this strictness is applied only to names coming from the commandline. Names specified using User or Hostname directives in ssh_config(5) are not affected. feedback/ok millert@ markus@ dtucker@ deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/12/18 07:47:20 Modified files: usr.bin/ssh: channels.c channels.h Log message: stricter handling of channel window limits This makes ssh/sshd more strict in handling non-compliant peers that send more data than the advertised channel window allows. Previously the additional data would be silently discarded. This change will cause ssh/sshd to terminate the connection if the channel window is exceeded by more than a small grace allowance. ok markus@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/12/18 07:46:56 Modified files: usr.bin/ssh: PROTOCOL.agent authfd.c authfd.h ssh-add.1 ssh-add.c ssh-agent.c ssh-pkcs11-client.c ssh-pkcs11.h Log message: Make it possible to load certs from PKCS#11 tokens Adds a protocol extension to allow grafting certificates supplied by ssh-add to keys loaded from PKCS#11 tokens in the agent. feedback/ok markus@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/12/18 07:46:12 Modified files: usr.bin/ssh: ssh-agent.c Log message: apply destination constraints to all p11 keys Previously applied only to the first key returned from each token. ok markus@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/12/18 07:45:49 Modified files: usr.bin/ssh: PROTOCOL auth2.c kex.c kex.h monitor_wrap.c sshconnect2.c sshd.c Log message: add "ext-info-in-a...@openssh.com" extension This adds another transport protocol extension to allow a sshd to send SSH2_MSG_EXT_INFO during user authentication, after the server has learned the username that is being logged in to. This lets sshd to update the acceptable signature algoritms for public key authentication, and allows these to be varied via sshd_config(5) "Match" directives, which are evaluated after the server learns the username being authenticated. Full details in the PROTOCOL file
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/12/18 07:45:17 Modified files: usr.bin/ssh: PROTOCOL kex.c kex.h packet.c packet.h sshconnect2.c Log message: implement "strict key exchange" in ssh and sshd This adds a protocol extension to improve the integrity of the SSH transport protocol, particular in and around the initial key exchange (KEX) phase. Full details of the extension are in the PROTOCOL file. with markus@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/12/12 20:28:19 Modified files: usr.bin/ssh: sshconnect2.c Log message: when invoking KnownHostsCommand to determine the order of host key algorithms to request, ensure that the hostname passed to the command is decorated with the port number for ports other than 22. This matches the behaviour of KnownHostsCommand when invoked to look up the actual host key. bz3643, ok dtucker@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/12/06 14:06:48 Modified files: usr.bin/ssh: log.c Log message: short circuit debug log processing early if we're not going to log anything. From Kobe Housen
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/11/19 19:50:00 Modified files: usr.bin/ssh: sshconnect.c Log message: set errno=EAFNOSUPPORT when filtering addresses that don't match AddressFamily; yields slightly better error message if no address matches. bz#3526
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/11/15 16:03:38 Modified files: usr.bin/ssh: sshconnect.c Log message: when connecting via socket (the default case), filter addresses by AddressFamily if one was specified. Fixes the case where, if CanonicalizeHostname is enabled, ssh may ignore AddressFamily. bz5326; ok dtucker
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/11/15 15:51:49 Modified files: usr.bin/ssh: channels.c channels.h clientloop.c Log message: when deciding whether to enable keystroke timing obfuscation, only consider enabling it when a channel with a tty is open. Avoids turning on the obfucation when X11 forwarding only is in use, which slows it right down. Reported by Roger Marsh
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/11 21:51:08 Modified files: regress/usr.bin/ssh: sshsig.sh Log message: typos and extra debug trace calls
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/11 21:48:54 Modified files: regress/usr.bin/ssh: test-exec.sh Log message: ensure logs are owned by correct user; feedback/ok dtucker@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/11 21:36:32 Modified files: usr.bin/ssh: misc.c Log message: 64 %-expansion keys ought to be enough for anybody; ok dtucker (we just hit the previous limit in some cases)
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/11 20:48:44 Modified files: usr.bin/ssh: ssh.c Log message: don't dereference NULL pointer when hashing jumphost
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/11 20:18:18 Modified files: usr.bin/ssh: readconf.c readconf.h ssh.c ssh_config.5 sshconnect.h Log message: add %j token that expands to the configured ProxyJump hostname (or the empty string if this option is not being used). bz3610, ok dtucker
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/11 20:15:53 Modified files: usr.bin/ssh: sshconnect2.c Log message: release GSS OIDs only at end of authentication; bz2982, ok dtucker@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/11 20:12:53 Modified files: usr.bin/ssh: clientloop.c Log message: mask SIGINT/TERM/QUIT/HUP before checking quit_pending and use ppoll() to unmask them in the mainloop. Avoids race condition between signaling ssh to exit and polling. bz3531; ok dtucker
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/11 17:23:58 Modified files: usr.bin/ssh: ssh.c Log message: sync usage() with ssh.1; spotted by kn@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/11 17:14:33 Modified files: usr.bin/ssh: ssh.1 Log message: ssh -Q does not make sense with other command-line options, so give it its own line in the manpage
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/11 16:42:26 Modified files: usr.bin/ssh: clientloop.c misc.c misc.h readconf.c readconf.h servconf.c ssh.c ssh_config.5 Log message: add ChannelTimeout support to the client, mirroring the same option in the server. ok markus@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/11 16:41:05 Modified files: usr.bin/ssh: sshkey.c Log message: add support for reading ED25519 private keys in PEM PKCS8 format; ok markus@ tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/11 00:40:54 Modified files: usr.bin/ssh: ssh_config.5 Log message: mention "none" is a valid argument to IdentityFile; bz3080
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/10 23:42:08 Modified files: usr.bin/ssh: scp.c Log message: in olde rcp/scp protocol mode, when rejecting a path from the server as not matching the glob that the client sent, log (at debug level) the received pathname as well as the list of possible expected paths expanded from the glob. bz2966
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/10 22:46:30 Modified files: usr.bin/ssh: kex.c Log message: s/%.100s/%s/ in SSH- banner construction as there's no reason to limit its size: the version string bring included is a compile time constant going into an allocated banner string.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/09 21:57:45 Modified files: usr.bin/ssh: ssh2.h Log message: Reserve a range of "local extension" message numbers that OpenSSH promises not to use (comment change only)
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/05 21:32:15 Modified files: regress/usr.bin/ssh: agent-pkcs11.sh Log message: typo in error message
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/05 21:25:14 Modified files: regress/usr.bin/ssh: agent-pkcs11.sh Log message: Perform the softhsm2 setup as discrete steps rather than as a long shell pipeline. Makes it easier to figure out what has happened when it breaks.
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: d...@cvs.openbsd.org2023/10/05 16:18:32 Modified files: openssh/txt: release-9.5 openssh: releasenotes.html Log message: typo; from Alexander H
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: d...@cvs.openbsd.org2023/10/04 04:10:00 Modified files: build : Makefile build/mirrors : openssh-ftp.html.head openssh: ftp.html index.html openbsd.html releasenotes.html openssh/txt: release-9.5 Log message: openssh-9.5
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: d...@cvs.openbsd.org2023/10/04 03:58:23 Added files: openssh/txt: release-9.5 Log message: openssh-9.5
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/03 22:04:09 Modified files: usr.bin/ssh: version.h Log message: openssh-9.5
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/03 22:03:50 Modified files: usr.bin/ssh: ssh_config.5 Log message: add some cautionary text about % token expansion and shell metacharacters; based on report from vinci AT protonmail.ch
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/10/03 17:56:10 Modified files: usr.bin/ssh: PROTOCOL.agent Log message: fix link to agent draft; spotted by Jann Horn
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/09/10 17:12:33 Modified files: usr.bin/ssh: scp.c sftp-glob.c sftp.c Log message: rename remote_glob() -> sftp_glob() to match other API
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/09/09 21:51:55 Modified files: usr.bin/ssh: clientloop.c Log message: typo in comment
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/09/09 21:25:53 Modified files: usr.bin/ssh: clientloop.c Log message: randomise keystroke obfuscation intervals and average interval rate. ok dtucker@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/09/08 00:34:24 Modified files: usr.bin/ssh: servconf.c Log message: fix sizeof(*ptr) instead sizeof(ptr) in realloc (pointer here is char**, so harmless); spotted in CID 416964
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/09/08 00:10:57 Modified files: regress/usr.bin/ssh: scp3.sh Log message: regress test recursive remote-remote directories copies where the directory contains a symlink to another directory. also remove errant `set -x` that snuck in at some point
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/09/08 00:10:02 Modified files: usr.bin/ssh: sftp-client.c Log message: fix recursive remote-remote copies of directories that contain symlinks to other directories (similar to bz3611)
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/09/07 23:56:13 Modified files: usr.bin/ssh: scp.c sftp-client.c sftp-client.h sftp-glob.c sftp-usergroup.c sftp.c Log message: the sftp code was one of my first contributions to OpenSSH and it shows - the function names are terrible. Rename do_blah() to sftp_blah() to make them less so. Completely mechanical except for sftp_stat() and sftp_lstat() which change from returning a pointer to a static variable (error-prone) to taking a pointer to a caller-provided receiver.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/09/07 23:50:57 Modified files: regress/usr.bin/ssh: scp.sh Log message: regress test for recursive copies of directories containing symlinks to other directories. bz3611, ok dtucker@