[pull] master from openssh:master #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
spacing; OpenBSD-Commit-ID: 0a9fb10bc9f7d577afe2da3f498a08bc431115b9
ok djm OpenBSD-Commit-ID: 1e89572397dda83433d58c4fa6333a08f51170d4
OpenBSD-Commit-ID: 581f60f73099083392887206860229ab104620ed
OpenBSD-Commit-ID: b317930e06b51819c1a2bc6a4359764fecfb1c2d
message payloads, not just the message header OpenBSD-Commit-ID: 24dbd400aa381ac96be7ed2dd49018487dfef6ce
being enabled and document the default values for each parameter. OpenBSD-Commit-ID: b981288bddfb097aad269f62df4081c688ce0034
OpenBSD-Commit-ID: 72e2c5b69f151c08a7c5bf5ad929b97a92c273df
OpenBSD-Commit-ID: af4f5d01c41ef870b23e55655bfbf73474a6c02b
OpenBSD-Commit-ID: 8dc2fd21eebd8830c4a4d25461ac4fe228e11156
message sending, not just receiving OpenBSD-Commit-ID: f7341605bf08c4c15830910446e6775323f2f8cb
here OpenBSD-Regress-ID: 96fec579af228f87a036e94801eb294af9074625
send, not just message receive OpenBSD-Commit-ID: 02a093f4ab4f8f83f0cd1ea2bb35b9ca420448f0
OpenBSD-Commit-ID: 54151ecdecfa1b67dcdda4fd24826ef6e2148ad4
used one shared table and overflow policy for IPv4 and IPv6 addresses, now it will use separate tables and optionally different overflow policies. This prevents misbehaviour from IPv6 addresses (which are vastly easier to obtain many of) from affecting IPv4 connections and may allow for stricter overflow policies. ok deraadt@ OpenBSD-Commit-ID: 12637ed0aa4d5f1f3e702da42ea967cbd8bfdfd9
sshd-session attempting to use options.kerberos_authentication to decide whether it needed to lookup the privsep user before the configuration was loaded. This caused it to get a placeholder value that caused it always to try to lookup the privsep user, breaking at least one test environment.
Cygwin doesn't support FD passing and so used to disable post-auth privilege separation entirely because privsep requires PTY allocation to happen in the privileged monitor process with the PTY file descriptors being passed back to the unprivileged process. This brings back a minimal version of the previous special treatment for Cygwin (and any other platform that sets DISABLE_FD_PASSING): privilege separation remains enabled, but PTY allocation happens in the post-auth user process rather than the monitor. This either requires PTY allocation to not need privilege to begin with (this appears to be the case on Cygwin), or the post-auth privsep process retain privilege (other platforms that set the DISABLE_FD_PASSING option). Keeping privileges here is bad, but the non-Cygwin systems that set DISABLE_FD_PASSING are so deeply legacy that this is likely to be the least of their problems.
We plan to check in automatically generated files (config.h.in, etc) on release branches. These files are normally ignored by .gitignore, but this shuffles the contents of this file to make it easy to un-ignore them.
sshd would implicitly use argv[0] as the PAM service name to allow people to select different PAM service names by making differently-named copies/links to the sshd binary. Splitting sshd into sshd/sshd-session broke this, as the process that starts PAM is always sshd-session and the user has no control over this. Hardcode "sshd" as the default PAM service name unless/until we figure out a better way. Should unbreak OSX integration tests.
multiple attempts simultaneously and confuse the test OpenBSD-Regress-ID: 6e910f3315c4345053db1bf5cbf61826b194d0b9
OpenBSD-Commit-ID: d65a99666202a8188c4991c18d14374a229f7be5
so they are useful as comments without extra shell redirection and so they don't clutter actual errors on stderr. Add a -q flag to shut them up. ok dtucker@ OpenBSD-Commit-ID: bec813de56a71adb5c1a76adcf49621130d24264
OpenBSD-Regress-ID: 8878b8eb4e070ed2e343166d3eb86db4a08a216c
Allows selecting which PAM service name to use when UsePAM is enabled. Defaults to "sshd" unless overridden at compile time by defining SSHD_PAM_SERVICE. bz2102, ok dtucker@
enforcement but not penalty expiry, the other tests penalty expiry. This lets us disable the expiry testing in certain CI test environments. OpenBSD-Regress-ID: f56811064f3e3cb52ee73a206b8c2a06af1c8791
OpenBSD-Commit-ID: ba28d0e1ac609a4c99c453e57e86560c79079db1
bz3701 from Colin Watson. OpenBSD-Commit-ID: e698e69bea19bd52971d253f2b1094490c4701f7
It got broken by the sshd-auth change, it's not obvious why, and the platform lacks the debugging tools (eg gdb, strace) to figure it out. The upstream project seems effectively dead (6 years since the last commit, 10 since the last release). It was useful while it lasted (we found a real bug because of it) but its time seems to have passed.
exchange OpenBSD-Commit-ID: 5a3259a193fd42108a869ebf650b95b5f2d08dcf
jsg@ feedback/ok deraadt@ OpenBSD-Commit-ID: 26d81a430811672bc762687166986cad40d28cc0
OpenBSD-Commit-ID: 13511fdef7535bdbc35b644c90090013da43a318
to getgrouplist(3) Our kernel supports 16 groups (NGROUPS_MAX), but nothing prevents an admin from adding a user to more groups. With that tweak we'll keep on ignoring them instead of potentially reading past the buffer passed to getgrouplist(3). That behavior is explicitely described in initgroups(3). ok millert@ gilles@ OpenBSD-Commit-ID: a959fc45ea3431b36f52eda04faefc58bcde00db
FIDO application IDs for security key-backed keys, to prevent web key handles from being used remotely as this would likely lead to unpleasant surprises. By default, only application IDs that start with "ssh:*" are allowed. This adds a -Owebsafe-allow=... argument that can override the default list with a more or less restrictive one. The default remains unchanged. ok markus@ OpenBSD-Commit-ID: 957c1ed92a8d7c87453b9341f70cb3f4e6b23e8d
This will allow tests to specify an alternative sshd, eg on a remote machine with different endianness.
Where our test target is a bigendian system, do an additional build on the runner host (which is little endian) and test interop between the two. Should hopefully catch obvious endianness bugs.
Move the the flags used by the OpenWRT distro to mipsel target and enable OpenSSL on all targets to improve coverage. Explicitly disable security key and openssl on mips target so that host end of the bigendian interop tests don't attempt them and fail (since they're not enabled on the target side).
It doesn't currently work. It's not clear why, but I suspect sk-dummy.so ends up being built for the wrong architecture.
accidentally changed in last commit OpenBSD-Commit-ID: 6d07e4606997e36b860621a14dd41975f2902f8f
signature algorithm based on the requested hash algorithm ("-Ohashalg=xxx").
This allows using something other than rsa-sha2-512, which may not
be supported on all signing backends, e.g. some smartcards only
support SHA256.
Patch from Morten Linderud; ok markus@
OpenBSD-Commit-ID: 246353fac24e92629263996558c6788348363ad7
hostkeys-prove requests. Fixes a corner-case triggered by UpdateHostKeys with one or more unknown host keys stored in ssh-agent where sshd refuses to accept the signature coming back from the agent. Report/fix from Maxime Rey OpenBSD-Commit-ID: 460c7d527a24f92b7e5f68ca1a2fa242ebf0d086
by ssh-agent. Patch from Maxime Rey. OpenBSD-Regress-ID: 1777ab6e639e57c0e20cbcb6df60455b49fd8bb3
OpenBSD-Commit-ID: 74d0c0b74994d9a4343c4d7ea4948cb34f609a6c
verification as well as PIN. Prompted by Zack Newman, ok jmc@ OpenBSD-Commit-ID: b774a4438c9be70012661ee278450790d21277b8
OpenBSD-Commit-ID: e3420f3925a297a1b2ab7dfe7c7d274cfc8e1193
dump, which used to work but broke in 9.8 OpenBSD-Commit-ID: c79936242d29c70d01941b28d2d07fd0b85fe46f
I noticed the square brackets in `destination [command [argument...]` in the synopsis for the `ssh.1` manpage were not balanced, this balances them. Signed-off-by: Arnout Engelen <[email protected]>
Add a Makefile target for sk-libfido2, the standalone fido2 security key shared library, suitable for use with the SecurityKeyProvider option. Add a new configure option `--with-security-key-standalone` that optionally sets the shared library target sk-libfido2$(SHLIBEXT), and adds it to $(TARGETS). misc.h is required when SK_STANDALONE is defined, because of the use of `monotime_tv` in `sk_select_by_touch`. Sets the shared library extension for sk-libfido2 is by setting `SHLIBEXT` depending on the platform in configure.ac. Add the shared library to the CI builds in the `sk` target config to make sure it can compile under the same conditions as `--with-security-key-builtin`. Add a libssh-pic.a static library that compiles with `-fPIC` reusing .c.lo method in sk-dummy.so for use in the shared library sk-libfido2. Note, a separate static library libssh-pic.a is needed, since defining -DSK_STANDALONE excludes some symbols needed in sshkey.lo.
OpenBSD-Commit-ID: 311d271bf0fab8a119e84f4f696d8cd40731692f
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )