Lines Matching +full:ipv4 +full:- +full:no +full:- +full:config +full:- +full:for +full:- +full:cpp
19 openssh-7.5
21 Upstream-ID: b8b9a4a949427c393cd868215e1724ceb3467ee5
35 on Cygwin, check paths from server for backslashes
43 Yet another synonym for ASCII: "646"
45 Used by NetBSD; this unbreaks mprintf() and friends there for the C
55 path limit for Unix domain sockets. As a bandaid for bz#2660,
67 Upstream-ID: 3668852d1f145050e62f1da08917de34cb0c5234
73 Include includes.h for compat bits.
85 Adapt Cygwin config script to privsep knob removal
97 Upstream-ID: b7a9dbd71011ffde95e06f6945fe7197dedd1604
105 fix regression in 7.4: deletion of PKCS#11-hosted keys
109 Upstream-ID: 5b5bc20ca11cacb5d5eb29c3f93fd18425552268
118 only happen when protocol v.1 support is enabled for the client). Reported by
121 Upstream-ID: 8fdaec2ba4b5f65db1d094f6714ce64b25d871d7
136 Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
142 Make seccomp-bpf sandbox work on Linux/X32
145 this is required for at least some kernel versions. bz#2142
158 Remove macro trickery; no binary change
164 No binary change in stripped object file before/after.
170 support ioctls for ICA crypto card on Linux/s390
186 Add unit test for convtime().
188 Upstream-Regress-ID: 8717bc0ca4c21120f6dd3a1d3b7a363f707c31e1
198 Upstream-Regress-ID: fe15beaea8f5063c7f21b0660c722648e3d76431
209 Upstream-ID: 51f14c507ea87a3022e63f574100613ab2ba5708
217 Check for integer overflow when parsing times in
220 Upstream-ID: 35e6a4e98f6fa24df50bfb8ba1307cf70e966f13
232 Fix weakness in seccomp-bpf sandbox arg inspection
234 Syscall arguments are passed via an array of 64-bit values in struct
236 even those correctly for BE systems.
239 socketcall filtering so using this for sandbox escape seems
250 regress tests for loading certificates without public keys;
253 Upstream-Regress-ID: 0145d19328ed995b73fe2d9da33596b17429d0d0
262 key file but no corresponding plain *.pub public key. bz#2617 based on patch
265 Upstream-ID: 295668dca2c39505281577217583ddd2bd4b00b9
274 many bytes to discard for the work around for the attacks against CBC-mode.
277 Upstream-ID: f445f509a4e0a7ba3b9c0dae7311cb42458dc1e2
287 Upstream-ID: fc5e695d5d107d730182e2da7b23f00b489e0ee1
296 … date: 2017/03/11 23:37:23; author: djm; state: Exp; lines: +14 -1; commitid: jnFKyHkB3CEiEZ2R;
299 ----------------------------
301 date: 2013/11/29 19:00:51; author: deraadt; state: Exp; lines: +6 -5;
302 fairly simple unsigned char casts for ctype
304 ----------------------------
306 date: 2012/11/12 14:07:20; author: halex; state: Exp; lines: +4 -2;
311 ----------------------------
313 date: 2009/06/20 15:00:04; author: martynas; state: Exp; lines: +4 -4;
314 use llabs instead of the home-grown version; and some comment changes
316 ----------------------------
326 keys when any of the ssh-rsa-sha2-* methods was enabled in HostkeyAlgorithms
327 nit ssh-rsa (SHA1 signatures) was not. bz#2650 reported by Luis Ressel; ok
330 Upstream-ID: c5e8cfee15c42f4a05d126158a0766ea06da79d2
341 Upstream-ID: e467622ff154269e36ba8b6c9e3d105e1c4a9253
351 Upstream-ID: 4ef509a66b96c7314bbcc87027c2af71fa9d0ba4
359 better match sshd config parser behaviour: fatal() if
363 Upstream-ID: b175ae7e0ba403833f1ee566edf10f67443ccd18
371 ensure hostname is lower-case before hashing it;
374 Upstream-ID: c3b8b93804f376bd00d859b8bcd9fc0d86b4db17
385 Upstream-ID: e632b7a9bf0d0558d5ff56dab98b7cca6c3db549
393 Remove old null check from config dumper. Patch from
396 Upstream-ID: 824ab71467b78c4bab0dd1b3a38e8bc5f63dd528
404 fix regression in 7.4 server-sig-algs, where we were
408 Upstream-ID: 81ac8bfb30960447740b9b8f6a214dcf322f12e8
416 Check for NULL return value from key_new. Patch from
419 Upstream-ID: 059e33cd43cba88dc8caf0b1936fd4dd88fd5b8e
429 Upstream-ID: b4b48b4487c0821d16e812c40c9b09f03b28e349
437 Check for NULL argument to sshkey_read. Patch from
440 Upstream-ID: c2d00c2ea50c4861d271d0a586f925cc64a87e0e
451 Upstream-ID: 3fb030149598957a51b7c8beb32bf92cf30c96f2
462 Upstream-ID: 8016a7ae97719d3aa55fb723fc2ad3200058340d
473 Upstream-ID: 248acb99a5ed2fdca37d1aa33c0fcee7be286d88
484 Upstream-ID: 468e357ff143e00acc05bdd2803a696b3d4b6442
495 Upstream-ID: cdfdc4ba90639af807397ce996153c88af046ca4
506 Upstream-ID: dbe5494dfddfe523fab341a3dab5a79e7338f878
512 Check for NULL from malloc.
520 If OSX is using launchd, remove screen no.
522 Check for socket with and without screen number. From Apple and Jakob
535 Upstream-ID: 65cdd161460e1351c3d778e974c1c2a4fa4bc182
543 Check l->hosts before dereferencing; fixes potential null
546 Upstream-ID: 81c0327c6ec361da794b5c680601195cc23d1301
557 Upstream-ID: 9dc582d9bb887ebe0164e030d619fc20b1a4ea08
565 fix ssh-keygen -H accidentally corrupting known_hosts that
566 contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by
567 hostkeys_foreach() when hostname matching is in use, so we need to look for
570 Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528
581 Upstream-ID: 10e3dadbb8199845b66581473711642d9e6741c4
591 Upstream-ID: 83d93366a5acf47047298c5d3ebc5e7426f37921
601 Upstream-ID: 9c538433d6a0ca79f5f21decc5620e46fb68ab57
609 add test cases for C locale; ok schwarze@
611 Upstream-Regress-ID: 783d75de35fbc923d46e2a5e6cee30f8f381ba87
619 Add a common nl_langinfo(CODESET) alias for US-ASCII
620 "ANSI_X3.4-1968" that is used by Linux. Fixes mprintf output truncation for
621 non-UTF-8 locales on Linux spotted by dtucker@; ok deraadt@ schwarze@
623 Upstream-ID: c6808956ebffd64066f9075d839f74ff0dd60719
634 Upstream-Regress-ID: 8066b753d9dce7cf02ff87af5c727ff680d99491
645 Upstream-ID: 068b5c41357a02f319957746fa4e84ea73960f57
656 Upstream-ID: cea93a26433d235bb1d64b1d990f19a9c160a70f
664 For ProxyJump/-J, surround host name with brackets to
667 Upstream-ID: 3a5d3b0171250daf6a5235e91bce09c1d5746bf1
679 Upstream-ID: c7f96ac0877f6dc9188bbc908100a8d246cc7f0e
691 Upstream-ID: 6fb6c2ae6b289aa07b6232dbc0be54682ef5419f
700 for the benefit of OpenSSL versions prior to that.
708 bring back r1.34 that was backed out for problems loading
715 bz#2525 bz#2523 re-ok dtucker@
717 Upstream-ID: a9d5bc0306f4473d9b4f4484f880e95f3c1cc031
726 but preserve valid UTF-8 when the locale supports it; bz#2520 ok dtucker@
728 Upstream-ID: e8eed28712ba7b22d49be534237eed019875bd1e
738 Upstream-ID: 06beef7344da0208efa9275d504d60d2a5b9266c
746 Restore \r\n newline sequence for server ident string. The CR
749 Upstream-ID: 5333fd43ce5396bf5999496096fac5536e678fac
757 unit test for match_filter_list() function; still want a
758 better name for this...
760 Upstream-Regress-ID: 840ad6118552c35111f0a897af9c8d93ab8de92a
775 Upstream-ID: 3591b88bdb5416d6066fb3d49d8fff2375bf1a15
786 Upstream-ID: 34cb41182cd76d414c214ccb01c01707849afead
794 support =- for removing methods from algorithms lists,
795 e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
798 Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
806 allow form-feed characters at EOL; bz#2431 ok dtucker@
808 Upstream-ID: 1f453afaba6da2ae69d6afdf1ae79a917552f1a2
814 prefer to use ldns-config to find libldns
816 Should fix bz#2603 - "Build with ldns and without kerberos support
828 Make ssh_packet_set_rekey_limits take u32 for the number of
829 seconds until rekeying (negative values are rejected at config parse time).
833 rekey_time is cast to int64 for the comparison which is a no-op
834 on OpenBSD, but should also do the right thing in -portable on
840 Upstream-ID: c9f18613afb994a07e7622eb326f49de3d123b6c
853 Upstream-ID: 1efffffff2f51d53c9141f245b90ac23d33b9779
861 Return true reason for port forwarding failures where
864 Upstream-ID: d901d9887951774e604ca970e1827afaaef9e419
876 Upstream-ID: 1834d7af179dea1a12ad2137f84566664af225d5
885 and configurations, notably Solaris 64-bit binaries. It was there for
886 the benefit of Linux put the required bits in the *-*linux* section.
896 fully unbreak: some $SSH invocations did not have -F
897 specified and could pick up the ~/.ssh/config of the user running the tests
899 Upstream-Regress-ID: f362d1892c0d3e66212d5d3fc02d915c58ef6b89
910 Upstream-Regress-ID: bc8a5e98e57bad0a92ef4f34ed91c1d18294e2cc
922 Upstream-ID: 7cb04b31a61f8c78c4e48ceededcd2fd5c4ee1bc
932 remove SSHv1-isms in commented examples
934 reorder token table to group deprecated and compile-time conditional tokens
937 fix config dumping code for some compile-time conditional options that
940 Upstream-ID: f2e96b3cb3158d857c5a91ad2e15925df3060105
951 Upstream-ID: 40957b8dea69672b0e50df6b4a91a94e3e37f72d
961 Upstream-ID: f7b794074d3aae8e35b69a91d211c599c94afaae
972 Upstream-ID: 794243aad1e976ebc717885b7a97a25e00c031b2
980 use correct ssh-add program; bz#2654, from Colin Watson
982 Upstream-Regress-ID: 7042a36e1bdaec6562f6e57e9d047efe9c7a6030
990 Account for timeouts in the integrity tests as failures.
992 If the first test in a series for a given MAC happens to modify the low
997 Upstream-Regress-ID: e7467613b0badedaa300bc6fc7495ec2f44e2fb9
1009 Upstream-Regress-ID: 4756375aac5916ef9d25452a1c1d5fa9e90299a9
1017 Fix typo in ~C error message for bad port forward
1021 Upstream-ID: 0d4a7e5ead6cc59c9a44b4c1e5435ab3aada09af
1031 has its own reasons for tracking the size along with the sockaddr.
1035 Upstream-ID: ca6e49e2f22f2b9e81d6d924b90ecd7e422e7437
1045 Upstream-ID: b96239dae4fb3aa94146bb381afabcc7740a1638
1055 Upstream-ID: c107d6a69bc22325d79fbf78a2a62e04bcac6895
1063 show a useful error message when included config files
1066 Upstream-ID: f598b73b5dfe497344cec9efc9386b4e5a3cb95b
1078 Upstream-ID: 99ef8ac51f17f0f7aec166cb2e34228d4d72a665
1087 ssh-keyscan built without SSH protocol v.1 to scan for v.1 keys; bz#2583
1089 Upstream-ID: 5d214abd3a21337d67c6dcc5aa6f313298d0d165
1097 Re-add '%k' token for AuthorizedKeysCommand which was
1098 lost during the re-org in rev 1.235. bz#2656, from jboning at gmail.com.
1100 Upstream-ID: 2884e203c02764d7b3fe7472710d9c24bdc73e38
1108 unbreak Unix domain socket forwarding for root; ok
1111 Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
1130 Upstream-ID: cf5617958e2e2d39f8285fd3bc63b557da484702
1141 Upstream-ID: b6b2b434a6d6035b1644ca44f24cd8104057420f
1152 Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
1158 Re-add missing "Prerequisites" header and fix typo
1170 Upstream-Regress-ID: 7b6f0b63525f399844c8ac211003acb8e4b0bec2
1176 crank version numbers for release
1184 openssh-7.4
1186 Upstream-ID: 1ee404adba6bbe10ae9277cbae3a94abe2867b79
1197 Upstream-Regress-ID: cab4288531766bd9593cb556613b91a2eeefb56f
1206 not set. Mainly to benefit -portable since some platforms don't have whoami.
1208 Upstream-Regress-ID: e3a16b7836a3ae24dc8f8a4e43fdf8127a60bdfa
1216 Add regression test for AllowUsers and DenyUsers. Patch from
1219 Upstream-Regress-ID: 8f1aac24d52728398871dac14ad26ea38b533fb9
1238 Upstream-Regress-ID: 828ffc2c7afcf65d50ff2cf3dfc47a073ad39123
1249 Upstream-Regress-ID: a113dea77df5bd97fb4633ea31f3d72dbe356329
1257 regression test for certificates along with private key
1258 with no public half. bz#2617, mostly from Adam Eijdenberg
1260 Upstream-Regress-ID: 2e74dc2c726f4dc839609b3ce045466b69f01115
1271 Upstream-Regress-ID: f6b1c7ffbc5a0dfb7d430adb2883344899174a98
1282 Upstream-ID: d747ace338dcf943b077925f90f85f789714b54e
1293 Upstream-ID: deb0486e175e7282f98f9a15035d76c55c84f7f6
1301 disable Unix-domain socket forwarding when privsep is
1304 Upstream-ID: ab61516ae0faadad407857808517efa900a0d6d0
1315 Upstream-ID: 703ae690dbf9b56620a6018f8a3b2389ce76d92b
1327 Remove commented-out includes.
1329 These commented-out includes have "Still needed?" comments. Since
1330 they've been commented out for ~13 years I assert that they're not.
1336 Add prototype for strcasestr in compat library.
1354 prepared to deal with that. For now, the best we can do is to force
1355 OpenSSH to use the C/POSIX locale and try to preserve the UTF-8
1370 Include <unistd.h> for exit in utf8 locale test.
1376 Check for utf8 local support before testing it.
1378 Check for utf8 local support and if not found, do not attempt to run the
1385 Use AC_PATH_TOOL for krb5-config.
1387 This will use the host-prefixed version when cross compiling; patch from
1397 have no corresponding bare public key. E.g. just a private id_rsa and
1398 certificate id_rsa-cert.pub (and no id_rsa.pub).
1402 Upstream-ID: c1e9699b8c0e3b63cc4189e6972e3522b6292604
1408 Add a gnome-ssh-askpass3 target for GTK+3 version
1416 Make gnome-ssh-askpass2.c GTK+3-friendly
1427 authentication is in use. Instead of deleting and re-preparing the entire
1429 order (with already- tried keys at the back)
1433 Upstream-ID: 7123f12dc2f3bcaae715853035a97923d7300176
1446 Upstream-ID: 132dd6dda0c77dd49d2f15b2573b5794f6160870
1454 test new behaviour of cert force-command restriction vs.
1457 Upstream-Regress-ID: 399efa7469d40c404c0b0a295064ce75d495387c
1467 Upstream-ID: 93f6e54086145a75df8d8ec7d8689bdadbbac8fa
1475 add a whitelist of paths from which ssh-agent will load
1476 (via ssh-pkcs11-helper) a PKCS#11 module; ok markus@
1478 Upstream-ID: fe79769469d9cd6d26fe0dc15751b83ef2a06e8f
1491 simple and future-proof way of restricting an account. Suggested as
1494 Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
1502 When a forced-command appears in both a certificate and
1506 The previous (documented) behaviour of having the certificate forced-
1507 command override the other could be a bit confused and more error-prone.
1511 Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
1521 means that when sshd re-execs itself on SIGHUP the process ID will no longer
1524 Upstream-ID: 5ea0355580056fb3b25c1fd6364307d9638a37b9
1545 Upstream-Regress-ID: 4345253558ac23b2082aebabccd48377433b6fe0
1553 Reverse args to sshd-log-wrapper. Matches change in
1556 Upstream-Regress-ID: b438d1c6726dc5caa2a45153e6103a0393faa906
1566 Upstream-Regress-ID: 4c4a2ba0d37faf5fd230a91b4c7edb5699fbd73a
1574 Clean up MALLOC_OPTIONS. For the unittests, move
1579 Upstream-Regress-ID: 890d497e0a38eeddfebb11cc429098d76cf29f12
1591 Upstream-Regress-ID: 6cc25024c8174a87e5734a0dc830194be216dd59
1602 Upstream-ID: 39fd9e8ebd7222615a837312face5cc7ae962885
1610 use sshbuf_allocate() to pre-allocate the buffer used for
1613 appear to happen in practice for normal sized keys, but was observed for
1618 Upstream-ID: d620e1d46a29fdea56aeadeda120879eddc60ab1
1629 Upstream-ID: 11b8a2795afeeb1418d508a2c8095b3355577ec2
1640 Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55
1650 Upstream-ID: 1c67d4148f5e953c35acdb62e7c08ae8e33f7cb2
1658 Validate address ranges for AllowUser/DenyUsers at
1663 Thanks to Laurence Parry for a detailed bug report. ok markus (for
1666 Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb
1678 Upstream-ID: 3223ef693cfcbff9079edfc7e89f55bf63e1973d
1690 Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL
1715 cipher-3des1.c and cipher-bf1.c are specific to sshv1 so don't even try
1726 forwarding for non-priv ports as a non root user.
1730 Upstream-ID: ddb8156ca03cc99997de284ce7777536ff9570c9
1741 Upstream-ID: ad9cc655829d67fad219762810770787ba913069
1747 Use !=NULL instead of >0 for getdefaultproj.
1749 getdefaultproj() returns a pointer so test it for NULL inequality
1760 make it easier for Portable to support platforms with permissions models
1764 Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface
1775 Upstream-ID: d9b3a68b2a7c2f2fc7f74678e29a4618d55ceced
1795 www.openssh.com now supports https and ftp.openbsd.org no longer
1804 Remove ssh1 host key generation, add ssh-keygen -A
1831 was the recently-removed SSH1 server code so it's now dead code. ok markus@
1833 Upstream-ID: 05453983230a1f439562535fec2818f63f297af9
1841 Install a signal handler for tty-generated signals and
1842 wait for the ssh child to suspend before suspending sftp. This lets ssh
1846 Upstream-ID: a31c1f42aa3e2985dcc91e46e6a17bd22e372d69
1856 Upstream-ID: 81e85df2b8e474f5f93d66e61d9a4419ce87347c
1882 (DEF_WEAK is a no-op in portable.)
1906 unbreak principals-command test
1916 fix the KEX fuzzer - the previous method of obtaining the
1917 packet contents was broken. This now uses the new per-packet input hook, so
1918 it sees exact post-decrypt packets and doesn't have to pass packet integrity
1921 Upstream-Regress-ID: 402fb6ffabd97de590e8e57b25788949dce8d2fd
1932 Upstream-Regress-ID: 74ab9687417dd071d62316eaadd20ddad1d5af3c
1943 Upstream-Regress-ID: 77bcb50e47b68c7209c7f0a5a020d73761e5143b
1951 Add a per-packet input hook that is called with the
1952 decrypted packet contents. This will be used for fuzzing; ok markus@
1954 Upstream-ID: a3221cee6b1725dd4ae1dd2c13841b4784cb75dc
1964 allocation of up to 128MB -- until the connection is closed. Reported by
1965 shilei-c at 360.cn
1967 Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
1976 date: 2013/11/24 23:51:29; author: deraadt; state: Exp; lines: +4 -4;
1977 most obvious unsigned char casts for ctype
1987 date: 2010/05/14 13:30:34; author: millert; state: Exp; lines: +41 -39;
1999 This makes it a no-op when we use it below, which allows us to re-sync
2011 Upstream-ID: ff8e90aa0343d9bb56f40a535e148607973cc738
2019 add a comment about implicitly-expected checks to
2022 Upstream-ID: 74a7f71c28f7c13a50f89fc78e7863b9cd61713f
2030 fix some -Wpointer-sign warnings in the new mux proxy; ok
2033 Upstream-ID: b1ba7b3769fbc6b7f526792a215b0197f5e55dfd
2045 Upstream-Regress-ID: ce489bd53afcd471225a125b4b94565d4717c025
2057 Upstream-Regress-ID: b464e55185ac4303529e3e6927db41683aaeace2
2065 ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux
2066 client speaks the ssh-packet protocol directly over unix-domain socket. - mux
2067 server acts as a proxy, translates channel IDs and relays to the server. - no
2068 filedescriptor passing necessary. - combined with unix-domain forwarding it's
2072 Upstream-ID: 666a2fb79f58e5c50e246265fb2b9251e505c25b
2080 put back some pre-auth zlib bits that I shouldn't have
2081 removed - they are still used by the client. Spotted by naddy@
2083 Upstream-ID: 80919468056031037d56a1f5b261c164a6f90dc2
2091 restore pre-auth compression support in the client -- the
2094 remove a few server-side pre-auth compression bits that escaped
2100 Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
2108 use a separate TOKENS section, as we've done for
2111 Upstream-ID: 640e32b5e4838e4363738cdec955084b3579481d
2117 Remove portability support for mmap
2119 We no longer need to wrap/replace mmap for portability now that
2120 pre-auth compression has been removed from OpenSSH.
2128 Remove support for pre-authentication compression. Doing
2133 Moreover, to support it across privilege-separation zlib needed
2134 the assistance of a complex shared-memory manager that made the
2137 Prompted by Guido Vranken pointing out a compiler-elided security
2141 NB. pre-auth authentication has been disabled by default in sshd
2142 for >10 years.
2144 Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
2159 Upstream-ID: f8508c830c86d8f36c113985e52bf8eedae23505
2165 fix mdoc2man.awk formatting for top-level lists
2178 Upstream-ID: 438d5ed6338b28b46e822eb13eee448aca31df37
2187 markus for an earlier version of the diff ok/tweaks djm
2189 Upstream-ID: 81a6daa506a4a5af985fce7cf9e59699156527c8
2197 mention curve25519-sha256 KEX
2199 Upstream-ID: 33ae1f433ce4795ffa6203761fbdf86e0d7ffbaf
2207 support plain curve25519-sha256 KEX algorithm now that it
2209 curve25519-sha256@libssh.org)
2211 Upstream-ID: 5e2b6db2e72667048cf426da43c0ee3fc777baa2
2221 session being authenticated. Check for this and exit if necessary. ok djm@
2223 Upstream-ID: b3afe126c0839d2eae6cddd41ff2ba317eda0903
2232 Sami Farin via https://github.com/openssh/openssh-portable/pull/50
2234 Upstream-ID: c85999af28aaecbf92cfa2283381df81e839b42c
2242 cast uint64_t for printf
2244 Upstream-ID: 76d23e89419ccbd2320f92792a6d878211666ac1
2252 disable tests for affirmative negated match after backout of
2255 Upstream-Regress-ID: acebb8e5042f03d66d86a50405c46c4de0badcfd
2268 > fix matching for pattern lists that contain a single negated match,
2279 Upstream-ID: ec96c770f0f5b9a54e5e72fda25387545e9c80c6
2289 Upstream-Regress-ID: 0a79a84dfaa59f958e46b474c3db780b454d30e3
2297 add a way for principals command to get see key ID and serial
2300 Upstream-ID: 0d30978bdcf7e8eaeee4eea1b030eb2eb1823fcb
2310 Upstream-Regress-ID: 03804d4a0dbc5163e1a285a4c8cc0a76a4e864ec
2318 fix for newer modp DH groups
2319 (diffie-hellman-group14-sha256 etc)
2321 Upstream-Regress-ID: fe942c669959462b507516ae1634fde0725f1c68
2333 Upstream-ID: 9a68b882892e9f51dc7bfa9f5a423858af358b2f
2347 Upstream-ID: 738d3229130ccc7eac975c190276ca6fcf0208e4
2358 Upstream-ID: e18ede972d1737df54b49f011fa4f3917a403f48
2366 take fingerprint of correct key for
2369 Upstream-ID: 553581a549cd6a3e73ce9f57559a325cc2cb1f38
2377 add %-escapes to AuthorizedPrincipalsCommand to match those
2378 supported for AuthorizedKeysCommand (key, key type, fingerprint, etc) and a
2381 Upstream-ID: 6b00fd446dbebe67f4e4e146d2e492d650ae04eb
2389 Improve test coverage of ssh-keygen -T a bit.
2391 Upstream-Regress-ID: 8851668c721bcc2b400600cfc5a87644cc024e72
2399 Add testcase for ssh-keygen -j, -J and -K options for
2403 Upstream-Regress-ID: 9de6ce801377ed3ce0a63a1413f1cd5fd3c2d062
2411 add tests for addr_match_list()
2413 Upstream-Regress-ID: fae2d1fef84687ece584738a924c7bf969616c8e
2424 Upstream-ID: 901cb081c59d6d2698b57901c427f3f6dc7397d4
2433 server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly)
2436 Upstream-ID: ddf702d721f54646b11ef2cee6d916666cb685cd
2442 Remove no-op brackets to resync with upstream.
2448 Resync ssh-keygen -W error message with upstream.
2454 Move ssh-keygen -W handling code to match upstream
2460 Move ssh-keygen -T handling code to match upstream.
2466 Move -M handling code to match upstream.
2474 Spaces->tabs.
2476 Upstream-ID: f4829dfc3f36318273f6082b379ac562eead70b7
2484 Style whitespace fix. Also happens to remove a no-op
2487 Upstream-ID: 45d90f9a62ad56340913a433a9453eb30ceb8bf3
2499 Upstream-ID: 712cafa816c9f012a61628b66b9fbd5687223fb8
2509 Upstream-ID: 73cec7f7ecc82d37a4adffad7745e4684de67ce7
2520 Upstream-ID: 32bb7a9cb9919ff5bab28d50ecef3a2b2045dd1e
2532 Upstream-ID: 2ceaa1076e19dbd3542254b4fb8e42d608f28856
2540 remove 3des-cbc from the client's default proposal;
2541 64-bit block ciphers are not safe in 2016 and we don't want to wait until
2544 As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may
2547 configuration for KEX and hostkeys anyway.
2551 Upstream-ID: a505dfe65c6733af0f751b64cbc4bb7e0761bc2f
2559 enforce expected request flow for GSSAPI calls; thanks to
2560 Jakub Jelen for testing; ok markus@
2562 Upstream-ID: d4bc0e70e1be403735d3d9d7e176309b1fd626b9
2568 Restore ssh-keygen's -J and -j option handling.
2578 only allow kbd-interactive ones when that authentication method is
2592 Upstream-ID: 6eb3f89332b3546d41d6dbf5a8e6ff920142b553
2598 Tighten monitor state-machine flow for PAM calls
2612 Upstream-ID: 1987ccee508ba5b18f016c85100d7ac3f70ff965
2620 Pull in <sys/time.h> for struct timeval
2624 Upstream-ID: ae34525485a173bccd61ac8eefeb91c57e3b7df6
2632 Pull in <stdlib.h> for NULL
2636 Upstream-ID: 7baa6a0f1e049bb3682522b4b95a26c866bfc043
2645 use it to suppress noisy deprecation warnings for the Protocol directive.
2649 Upstream-ID: 9fe040aca3d6ff393f6f7e60045cdd821dc4cbe0
2659 Upstream-ID: a7485c1f1be618e8c9e38fd9be46c13b2d03b90c
2670 Upstream-ID: c443e339768e7ed396dff3bb55f693e7d3641453
2681 Upstream-ID: 07c3d53e357214153d9d08f234411e0d1a3d6f5c
2695 Upstream-Regress-ID: c16662c631af51633f9fd06aca552a70535de181
2709 add tests for matching functions
2711 Upstream-Regress-ID: 0869d4f5c5d627c583c6a929d69c17d5dd65882c
2730 Upstream-ID: 01dcac3f3e6ca47518cf293e31c73597a4bb40d8
2738 fix matching for pattern lists that contain a single
2743 Upstream-ID: 05a0cb323ea4bc20e98db099b42c067bfb9ea1ea
2751 remove UseLogin option and support for having /bin/login
2754 Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
2767 Upstream-ID: 850328854675b4b6a0d4a90f0b4a9dd9ca4e905f
2775 Remove more SSH1 server code: * Drop sshd's -k option. *
2781 Upstream-ID: 9402f82886de917779db12f8ee3f03d4decc244d
2787 Only check for prctl once.
2799 Correct LDFLAGS for clang example.
2801 --with-ldflags isn't used until after the -ftrapv test, so mention
2802 LDFLAGS instead for now.
2810 Since -portable switched to git the CVS $Id tags are no longer being
2817 Remove now-obsolete CVS $Id tags from text files.
2819 Since -portable switched to git, the CVS $Id tags are no longer being
2826 Add a section for compiler specifics.
2828 Add a section for compiler specifics and document the runtime requirements
2829 for clang's integer sanitization.
2837 When using clang with -ftrapv or -sanitize=integer the tests would pass
2839 Explicitly test for this before enabling -trapv.
2845 add a --with-login-program configure argument
2854 add --with-pam-service to specify PAM service name
2864 Our explicit_bzero successfully confused clang -fsanitize-memory
2876 Upstream-ID: c24c0c32c49b91740d5a94ae914fb1898ea5f534
2884 Use 2001:db8::/32, the official IPv6 subnet for
2887 This makes the IPv6 example consistent with IPv4, and removes a dubious
2892 Upstream-ID: b027f3d0e0073419a132fd1bf002e8089b233634
2902 Upstream-ID: 6da9a37f74aef9f9cc639004345ad893cad582d8
2916 Improve error message for overlong ControlPath. ok markus@
2919 Upstream-ID: aed374e2e88dd3eb41390003e5303d0089861eb5
2930 Upstream-ID: 094849f8be68c3bdad2c0f3dee551ecf7be87f6f
2940 and run such that no Protocol 1 ephemeral host key is generated (eg "Protocol
2941 2", no SSH1 host key supplied). Reported by rainer.laatsch at t-online.de,
2944 Upstream-ID: aa6b132da5c325523aed7989cc5a320497c919dc
2955 Upstream-ID: 9baa6eb5cd6e30c9dc7398e5fe853721a3a5bdee
2967 Explicitly test for broken strnvis.
2971 for over ten years). Despite this incompatibility being reported during
2992 update config.guess and config.sub to current
3012 (or in the case of bsd-snprint.c, rsync).
3028 Date: Mon Aug 1 14:31:52 2016 -0700
3032 Spotted by Jean-Pierre Radley
3038 define _OPENBSD_SOURCE for reallocarray on NetBSD
3075 openssh-7.3
3077 Upstream-ID: af106a7eb665f642648cf1993e162c899f358718
3093 fix pledge violation with ssh -f; reported by Valentin
3096 Upstream-ID: a61db7988db88d9dac3c4dd70e18876a8edf84aa
3106 Upstream-ID: 55cb0a24c8e0618b3ceec80998dc82c85db2d2f8
3114 Lower loglevel for "Authenticated with partial success"
3118 Upstream-ID: 3faab814e947dc7b2e292edede23e94c608cb4dd
3137 Upstream-ID: f2043f51454ea37830ff6ad60c8b32b4220f448d
3148 Upstream-ID: 767f323e1f5819508a0e35e388ec241bac2f953a
3156 reverse the order in which -J/JumpHost proxies are visited to
3161 Upstream-ID: 3a68fd6a841fd6cf8cedf6552a9607ba99df179a
3173 Brought to our attention by tomas.kuthan at oracle.com, shilei-c at
3176 Upstream-ID: d0af7d4a2190b63ba1d38eec502bc4be0be9e333
3187 Upstream-ID: 5362210944d91417d5976346d41ac0b244350d31
3197 Upstream-ID: f3c1a5b3f05dff366f60c028728a2b43f15ff534
3205 Allow wildcard for PermitOpen hosts as well as ports.
3209 Upstream-ID: af0294e9b9394c4e16e991424ca0a47a7cc605f2
3221 Upstream-ID: f20a13279b00ba0afbacbcc1f04e62e9d41c2912
3227 Search users for one with a valid salt.
3230 until we find a user with a valid salt to use for crypting passwords of
3237 Explicitly specify source files for regress tools.
3241 seem to work on some non-GNU makes, so do what works everywhere.
3255 We now have a shared implementation in libopenbsd-compat.
3263 Add some unsigned overflow checks for extra_pad. None of
3267 Upstream-ID: 4d4be8450ab2fc1b852d5884339f8e8c31c3fd76
3273 Add dependency on libs for unit tests.
3281 Correct location for kexfuzz in clean target.
3290 password and keyboard-interative authentication methods. Should prevent
3293 It probably won't trigger with keyboard-interactive in the default
3294 configuration because the retry counter is stored in module-private
3304 support UTF-8 characters in ssh(1) banners using
3309 Upstream-ID: a72ce4e3644c957643c9524eea2959e41b91eea7
3317 - add proxyjump to the options list - formatting fixes -
3322 Upstream-ID: 43d318e14ce677a2eec8f21ef5ba2f9f68a59457
3334 Upstream-ID: 9005805227c94edf6ac02a160f0e199638d288e5
3357 shared header and use for sshbuf-getput-basic.c too. Should fix building
3372 add a --disable-pkcs11 knob
3378 fix newline escaping for unsupported_algorithms
3380 The hmac-ripemd160 was incorrect and could lead to broken
3381 Makefiles on systems that lacked support for it, but I made
3390 Add a ProxyJump ssh_config(5) option and corresponding -J
3391 ssh(1) command-line flag to allow simplified indirection through a SSH
3396 port-forwarding to establish a connection to the next destination.
3403 Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
3419 When sshd decides to not allow a login (eg PermitRootLogin=no) and
3420 it's using PAM, it sends a fake password to PAM so that the timing for
3433 Determine appropriate salt for invalid users.
3435 When sshd is processing a non-PAM login for a non-existent user it uses
3436 the string from the fakepw structure as the salt for crypt(3)ing the
3440 from the hash methods used for real accounts (eg sha512). This allows
3442 by EddieEzra.Harari at verint.com (CVE-2016-6210).
3444 To mitigate, use the same hash algorithm that root uses for hashing
3445 passwords for users that do not exist on the system. ok djm@
3457 Check for VIS_ALL.
3469 Upstream-Regress-ID: 4e32f7a5c57a619c4e8766cb193be2a1327ec37a
3483 Upstream-ID: ca2099eade1ef3e87a79614fefa26a0297ad8a3b
3494 Upstream-ID: dae60df23b2bb0e89f42661ddd96a7b0d1b7215a
3500 Add compat code for missing wcwidth.
3509 fix missing include for systems with err.h
3518 in the libopenbsd-compat so we can use them in kexfuzz.c too. ok djm@
3524 Check for wchar.h and langinfo.h
3532 whitelist more architectures for seccomp-bpf
3534 bz#2590 - testing and patch from Jakub Jelen
3543 it. CFLAGS contains -g by default anyway
3545 problem noted by Edgar Pettijohn (edgar (at) pettijohn-web.com)
3548 Upstream-Regress-ID: 4a0bb72f95c63f2ae9daa8a040ac23914bddb542
3556 Improve crypto ordering for Encrypt-then-MAC (EtM) mode
3561 side-channel oracle in the decryption step, though no such oracle has
3565 one pass, and uses it to advance MAC checking for EtM algorithms to
3571 Upstream-ID: 1999bb67cab47dda5b10b80d8155fe83d4a1867b
3580 delete it. CFLAGS contains -g by default anyway
3582 problem noted by Edgar Pettijohn (edgar (at) pettijohn-web.com)
3585 Upstream-ID: 96c5054e3e1f170c6276902d5bc65bb3b87a2603
3593 Explicitly check for 100% completion to avoid potential
3598 Upstream-ID: a166870c5878e422f3c71ff802e2ccd7032f715d
3606 sort the -o list;
3608 Upstream-ID: 1a97465ede8790b4d47cb618269978e07f41f8ac
3616 fix AuthenticationMethods during configuration re-parse;
3619 Upstream-ID: 8ffa1dac25c7577eca8238e825317ab20848f9b4
3631 Upstream-ID: b393794f8935c8b15d98a407fe7721c62d2ed179
3641 Upstream-ID: 5d5b21c80f1e81db367333ce0bb3e5874fb3e463
3652 Upstream-ID: 4cb0795a366381724314e6515d57790c5930ffe5
3661 AuthenticationMethods=any for the default behaviour of not requiring multiple
3666 Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27
3674 Include stdarg.h for va_copy as per man page.
3676 Upstream-ID: 105d6b2f1af2fbd9d91c893c436ab121434470bd
3689 Upstream-ID: 03d48536da6e51510d73ade6fcd44ace731ceb27
3697 Apply the same get_remote_name_or_ip -> session_get_remote_name_or_ip
3713 Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message
3714 about forward and reverse DNS not matching. We haven't supported IP-based
3715 auth methods for a very long time so it's now misleading. part of bz#2585,
3718 Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29
3727 gets linked into ssh-agent when building --with-pam.
3736 a file in -portable. This file tracks those so that we can reconcile
3737 OpenBSD and Portable to ensure that no commits are accidentally missed.
3739 If you add something to .skipped-commit-ids please also add an upstream
3742 Upstream-ID: 321065a95a7ccebdd5fd08482a1e19afbf524e35
3743 Upstream-ID: d4f699a421504df35254cf1c6f1a7c304fb907ca
3744 Upstream-ID: aafe246655b53b52bc32c8a24002bc262f4230f7
3745 Upstream-ID: 8fa9cd1dee3c3339ae329cf20fb591db6d605120
3746 Upstream-ID: f31327a48dd4103333cc53315ec53fe65ed8a17a
3747 Upstream-ID: edbfde98c40007b7752a4ac106095e060c25c1ef
3748 Upstream-ID: 052fd565e3ff2d8cec3bc957d1788f50c827f8e2
3749 Upstream-ID: 7cf73737f357492776223da1c09179fa6ba74660
3750 Upstream-ID: 180d84674be1344e45a63990d60349988187c1ae
3751 Upstream-ID: f6ae971186ba68d066cd102e57d5b0b2c211a5ee
3757 Remove now-defunct .cvsignore files. ok djm
3766 client" change. It caused "key_verify failed for server_host_key" in clients
3767 that send a DH-GEX min value less that DH_GRP_MIN, eg old OpenSSH and PuTTY.
3770 Upstream-ID: 452979d3ca5c1e9dff063287ea0a5314dd091f65
3779 ssh-agent and sftp-server. bz#2584, based on a patch from huieying.lee
3803 Add a test for ssh(1)'s config file parsing.
3805 Upstream-Regress-ID: 558b7f4dc45cc3761cc3d3e889b9f3c5bc91e601
3814 set for ssh.
3816 Upstream-Regress-ID: aea7a9c3bac638530165c801ce836875b228ae7a
3824 stricter malloc.conf(5) options for utf8 tests
3826 Upstream-Regress-ID: 111efe20a0fb692fa1a987f6e823310f9b25abf6
3838 rather than -1 and NULL.
3845 Upstream-Regress-ID: b164f20923812c9bac69856dbc1385eb1522cba4
3855 Upstream-Regress-ID: c923d05a20e84e4ef152cbec947fdc4ce6eabbe3
3865 Upstream-Regress-ID: 8fdf2fc4eb595ccd80c443f474d639f851145417
3875 Upstream-Regress-ID: 8d5572b27ea810394eeda432d8b4e9e1064a7c38
3883 unit tests for sshbuf_dup_string()
3885 Upstream-Regress-ID: 7521ff150dc7f20511d1c2c48fd3318e5850a96d
3895 Upstream-ID: 92979f1a0b63e041a0e5b08c9ed0ba9b683a3698
3904 overridden when using ssh -W (but still default to yes in that case).
3907 Upstream-ID: 4b20c419e93ca11a861c81c284090cfabc8c54d4
3915 Move the host and port used by ssh -W into the Options
3918 Upstream-ID: 151bce5ecab2fbedf0d836250a27968d30389382
3929 Upstream-ID: 750627e8117084215412bff00a25b1586ab17ece
3937 Ensure that the client's proposed DH-GEX max value is at
3940 Upstream-ID: b4b84fa04aab2de7e79a6fee4a6e1c189c0fe775
3952 Fix utf->utf8 typo.
3960 Backout rev. 1.43 for now.
3968 Upstream-ID: aaae57989431e5239c101f8310f74ccc83aeb93e
3980 While here, reserve an additional byte for the terminating NUL
3981 up front such that we don't have to realloc() later just for that.
3985 Upstream-ID: 30ebcc0c097c4571b16f0a78b44969f170db0cff
3997 rather than -1 and NULL.
4004 Upstream-ID: b7bcd2e82fc168a8eff94e41f5db336ed986fed0
4013 the terminal, for ASCII and UTF-8, escape bytes not forming characters and
4014 bytes forming non-printable characters with vis(3) VIS_OCTAL. For other
4019 for the progressmeter.
4023 state-dependent locales because many places in the code print
4031 Upstream-ID: e66afbc94ee396ddcaffd433b9a3b80f387647e0
4042 Upstream-ID: aa814b694efe9e5af8a26e4c80a05526ae6d6605
4052 Upstream-ID: 4faacdde136c24a961e24538de373660f869dbc0
4060 prefer agent-hosted keys to keys from PKCS#11; ok markus
4062 Upstream-ID: 7417f7653d58d6306d9f8c08d0263d050e2fd8f4
4072 Upstream-ID: bf968da7cfcea2a41902832e7d548356a4e2af34
4080 This will be needed for the upcoming utf8 changes.
4084 Date: Tue May 31 11:13:22 2016 -0700
4087 whitspace clean up. No code changes.
4099 Add missing ssh-host-config --name option
4117 Avoids sandbox violations for some krb/gssapi libraries.
4127 Upstream-ID: b32d0cb372bbe918ca2de56906901eae225a59b0
4137 Upstream-ID: 4ba9034b00a4cf1beae627f0728da897802df88a
4147 Upstream-ID: 20c508480d8db3eef18942c0fc39b1fcf25652ac
4158 Upstream-ID: c2f97502efc761a41b18c17ddf460e138ca7994e
4178 Upstream-ID: 789c6ad4928b5fa557369b88c3a6a34926082c05
4186 Fix inverted logic for updating StreamLocalBindMask which
4189 Upstream-ID: 8a4404c8307a5ef9e07ee2169fc6d8106b527587
4197 IdentityAgent for specifying specific agent sockets; ok
4200 Upstream-ID: 3e6a15eb89ea0fd406f108826b7dc7dec4fbfac1
4210 Upstream-ID: cc4d0cd32cb6b55a2ef98975d2f7ae857d0dc578
4220 Upstream-ID: 1fbd5b7ab16d2d9834ec79c3cedd4738fa42a168
4231 Upstream-ID: 940bc69ec0249ab428d24ccd0722ce35cb932ee2
4240 config dump output
4242 Upstream-ID: 14a6d970b3b45c8e94272e3c661e9a0b2a0ee7cb
4253 Upstream-ID: cb40d0235dc153c478c1aad3bc60b195422a54fb
4261 clarify ordering of subkeys; pointed out by ietf-ssh AT
4264 Upstream-ID: 05ebe9f949449a555ebce8e0aad7c8c9acaf8463
4272 Use a subshell for constructing key types to work around
4273 different sed behaviours for -portable.
4275 Upstream-Regress-ID: 0f6eb673162df229eda9a134a0f10da16151552d
4283 correct some typos and remove a long-stale XXX note.
4285 add specification for ed25519 certificates
4287 mention no host certificate options/extensions are currently defined
4291 Upstream-ID: 7b535ab7dba3340b7d8210ede6791fdaefdf839a
4302 Upstream-ID: 8caac2d8e8cfd2fca6dc304877346e0a064b014b
4310 Implement IUTF8 as per draft-sgtatham-secsh-iutf8-00. Patch
4313 Upstream-ID: 58268ebdf37d9d467f78216c681705a5e10c58e8
4321 unbreak config parsing on reexec from previous commit
4323 Upstream-ID: bc69932638a291770955bd05ca55a32660a613ab
4331 unit and regress tests for SHA256/512; ok markus
4333 Upstream-Regress-ID: a0cd1a92dc824067076a5fcef83c18df9b0bf2c6
4341 add support for additional fixed DH groups from
4342 draft-ietf-curdle-ssh-kex-sha2-03
4344 diffie-hellman-group14-sha256 (2K group)
4345 diffie-hellman-group16-sha512 (4K group)
4346 diffie-hellman-group18-sha512 (8K group)
4351 Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
4362 Upstream-ID: b45be2f2ce8cacd794dc5730edaabc90e5eb434a
4370 fix signed/unsigned errors reported by clang-3.7; add
4374 Upstream-ID: 71f926d9bb3f1efed51319a6daf37e93d57c8820
4385 Upstream-ID: 4fb726f0fdcb155ad419913cea10dc4afd409d24
4395 Upstream-ID: 313a385bd7b69a82f8e28ecbaf5789c774457b15
4403 cidr permitted for {allow,deny}users; from lars nooden ok djm
4405 Upstream-ID: 13e7327fe85f6c63f3f7f069e0fdc8c351515d11
4415 Upstream-ID: dc4816678704aa5cbda3a702e0fa2033ff04581d
4425 Upstream-ID: 46c1bab91c164078edbccd5f7d06b9058edd814f
4435 Upstream-Regress-ID: 1063595f7f40f8489a1b7a27230b9e8acccea34f
4445 Upstream-Regress-ID: 29ef1b267fa56daa60a1463396635e7d53afb587
4455 Upstream-Regress-ID: cb782f4f1ab3e079efbc335c6b64942f790766ed
4463 regression test for ssh_config Include directive
4465 Upstream-Regress-ID: 46a38c8101f635461c506d1aac2d96af80f97f1e
4473 unbreak test for recent ssh de-duplicated forwarding
4476 Upstream-Regress-ID: 6b2b115d99acd7cff13986e6739ea214cf2a3da3
4484 add test knob and warning for StrictModes
4486 Upstream-Regress-ID: 8cd10952ce7898655ee58945904f2a0a3bdf7682
4494 Include directive for ssh_config(5); feedback & ok markus@
4496 Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
4504 If PAM is configured to read user-specified environment variables
4509 CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
4520 Upstream-ID: 92038726ef4a338169c35dacc9c5a07fcc7fa761
4541 Upstream-ID: 5beffd4e001515da12851b974e2323ae4aa313b6
4550 every direct-streamlocal@openssh.com channel open, in contravention of our
4560 Upstream-ID: 34cd326a4d236ca6e39084c4ff796bd97ab833e7
4573 Upstream-ID: 40a51d68b6300f1cc61deecdb7d4847b8b7b0de1
4581 Another use for fcntl() and thus of the superfluous 3rd
4589 Upstream-ID: f16811ffa19a1c5f4ef383c5f0fecb843c84e218
4601 Fix configure-time warnings for openssl test.
4611 Upstream-ID: 40ae2203d07cb14e0a89e1a0d4c6120ee8fd8c3a
4623 Upstream-ID: 0d4f8c70e2fa7431a83b95f8ca81033147ba8713
4634 Upstream-ID: c1c1bb895dde46095fc6d81d8653703928437591
4659 ssh-agent: when attempting pubkey auth with a certificate, if no separate
4664 Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966
4672 sanitise characters destined for xauth reported by
4675 Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
4681 Pass supported malloc options to connect-privsep.
4684 option portion of the connect-privsep test.
4692 Pointed out by des at des.no.
4708 Include priv.h for priv_set_t.
4729 Date: Tue Mar 8 14:12:58 2016 -0800
4731 make a regress-binaries target
4738 Date: Tue Mar 8 14:03:54 2016 -0800
4740 unbreak kexfuzz for -Werror without __bounded__
4744 Date: Tue Mar 8 14:01:29 2016 -0800
4755 same change to some portable-specific code.
4764 to the places that use them (authn and session code). After this, no state is
4769 Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
4787 Upstream-Regress-ID: 345d0a9589c381e7d640a4ead06cfaadf4db1363
4797 Upstream-Regress-ID: 3df5242d30551b12b828aa9ba4a4cec0846be8d1
4805 Look back 3 lines for possible error messages. Changes
4810 Upstream-Regress-ID: 24f36912740a634d509a3144ebc8eb7c09b9c684
4818 fix ClientAliveInterval when a time-based RekeyLimit is
4822 Upstream-ID: d48f9deadd35fdacdd5106b41bb07630ddd4aa81
4831 for the ack from the other end. Pointed out by mmcc@, ok deraadt@ markus@
4833 Upstream-ID: 99f1cf15c9a8f161086b814d414d862795ae153d
4841 Improve precision of progressmeter for sftp and scp by
4842 storing sub-second timestamps. Pointed out by mmcc@, ok deraadt@ markus@
4844 Upstream-ID: 38fd83a3d83dbf81c8ff7b5d1302382fe54970ab
4854 Upstream-ID: 0590313bbb013ff6692298c98f7e0be349d124bd
4869 Upstream-ID: 9ad8a07e1a12684e1b329f9bd88941b249d4b2ad
4889 Skip PrintLastLog in config dump mode.
4892 config dump since it'll be reported as UNKNOWN.
4912 openssh-7.2
4914 Upstream-ID: 9db776b26014147fc907ece8460ef2bcb0f11e78
4923 for certain files and directories. This adds a regress/check-perm
4952 entered for keys; reported by espie@ ok deraadt@
4954 Upstream-ID: 58b2e46e63ed6912ed1ee780bd3bd8560f9a5899
4966 Upstream-ID: e168daf9d27d7e392e3c9923826bd8e87b2b3a10
4979 Upstream-ID: 6ce99466312e4ae7708017c3665e3edb976f70cf
4991 Upstream-ID: 0d94aa06a4b889bf57a7f631c45ba36d24c13e0c
5013 Upstream-ID: 43f0d57928cc077c949af0bfa71ef574dcb58243
5021 rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly
5022 in *KeyTypes options yet. Remove them from the lists of algorithms for now.
5025 Upstream-ID: c6e8820eb8e610ac21551832c0c89684a9a51bb7
5039 Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
5048 for new installs; "absolutely" deraadt@
5050 Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b
5058 no need to state that protocol 2 is the default twice;
5060 Upstream-ID: b1e4c36b0c2e12e338e5b66e2978f2ac953b95eb
5068 Replace list of ciphers and MACs adjacent to -1/-2 flag
5075 Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
5089 Upstream-ID: e72d2ac080e02774376325136e532cb24c2e617c
5099 Upstream-Regress-ID: b22d72edfde78c403aaec2b9c9753ef633cc0529
5108 it has the wrong number of args and it's not usable in non-variadic
5109 functions anyway so it breaks things (for example Solaris 2.6 as
5116 Look for gethostbyname in libresolv and libnsl.
5124 make existing ssh_malloc_init only for __OpenBSD__
5135 Upstream-ID: ccd742cd25952240ebd23d7d4d6b605862584d08
5143 Add a function to enable security-related malloc_options.
5144 With and ok deraadt@, something similar has been in the snaps for a while.
5146 Upstream-ID: 43a95523b832b7f3b943d2908662191110c380ed
5152 sync ssh-copy-id with upstream 783ef08b0a75
5160 avoid fatal() for PKCS11 tokens that present empty key IDs
5163 Upstream-ID: 044a764fee526f2c4a9d530bd10695422d01fc54
5174 Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6
5182 fix regression in openssh-6.8 sftp client: existing
5186 Upstream-ID: 3306be469f41f26758e3d447987ac6d662623e18
5194 turn off more old crypto in the client: hmac-md5, ripemd,
5197 Upstream-ID: 96aa11c2c082be45267a690c12f1d2aae6acd46e
5205 don't attempt to percent_expand() already-canonicalised
5209 Upstream-ID: f24569cffa1a7cbde5f08dc739a72f4d78aa5c6a
5221 application of rekey limits more accurate by accounting for packets
5228 Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8
5240 Upstream-ID: 3c2dadc21fac6ef64665688aac8a75fffd57ae53
5251 Upstream-ID: 11b068d83c2865343aeb46acf1e9eec00f829b6b
5259 mention internal DH-GEX fallback groups; bz#2302
5261 Upstream-ID: e7b395fcca3122cd825515f45a2e41c9a157e09e
5269 better description for MaxSessions; bz#2531
5271 Upstream-ID: e2c0d74ee185cd1a3e9d4ca1f1b939b745b354da
5280 become an RCS ident downstream; requested by des AT des.no
5291 Upstream-ID: 7b9f6712cef01865ad29070262d366cf13587c9c
5303 Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412
5311 Add regression test for RekeyLimit parsing of >32bit values
5314 Upstream-Regress-ID: 548390350c62747b6234f522a99c319eee401328
5324 Upstream-ID: 13d1f9c8b65a5109756bcfd3b74df949d53615be
5332 include packet type of non-data packets in debug3 output;
5335 Upstream-ID: 034eaf639acc96459b9c5ce782db9fcd8bd02d41
5343 Revert "account for packets buffered but not yet
5344 processed" change as it breaks for very small RekeyLimit values due to
5347 Upstream-ID: 7e03f636cb45ab60db18850236ccf19079182a19
5358 Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
5366 Account for packets buffered but not yet processed when
5370 Upstream-ID: 67e268b547f990ed220f3cb70a5624d9bda12b8c
5379 become an RCS ident downstream; requested by des AT des.no
5381 Upstream-ID: 8ca558c01f184e596b45e4fc8885534b2c864722
5391 Upstream-ID: 478ccd4e897e0af8486b294aa63aa3f90ab78d64
5400 memset() when returning from client_loop() for consistency with
5405 Upstream-ID: bc9975b2095339811c3b954694d7d15ea5c58f66
5413 Include sys/time.h for gettimeofday. From sortie at
5416 Upstream-ID: 6ed0c33b836d9de0a664cd091e86523ecaa2fb3b
5427 Upstream-ID: 4ec0f12b9d8fa202293c9effa115464185aa071d
5437 Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
5445 Disable experimental client-side roaming support. Server
5446 side was disabled/gutted for years already, but this aspect was surprisingly
5447 forgotten. Thanks for report from Qualys
5449 Upstream-ID: 2328004b58f431a554d4c1bf67f5407eae3389df
5461 openssh-7.1p2
5479 Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
5490 Upstream-ID: 0ece37069fd66bc6e4f55eb1321f93df372b65bf
5496 Support Illumos/Solaris fine-grained privileges
5498 Includes a pre-auth privsep sandbox and several pledge()
5514 Upstream-ID: e705e97ad3ccce84291eaa651708dd1b9692576b
5524 Upstream-ID: f3eef4389d53ed6c0d5c77dcdcca3060c745da97
5532 Use pread/pwrite instead separate lseek+read/write for
5537 Upstream-ID: fc40092568cd195719ddf1a00aa0742340d616cf
5545 adjust pledge promises for ControlMaster: when using
5546 "ask" or "autoask", the process will use ssh-askpass for asking confirmation.
5552 Upstream-ID: 38a58b30ae3eef85051c74d3c247216ec0735f80
5563 Upstream-ID: decc88ec4fc7515594fdb42b04aa03189a44184b
5571 Add "id" to ssh-agent pledge for subprocess support.
5573 Found the hard way by Jan Johansson when using ssh-agent with X. Also,
5578 Upstream-ID: 914255f6850e5e7fa830a2de6c38605333b584db
5586 Remove NULL-checks before sshbuf_free().
5590 Upstream-ID: 5ebed00ed5f9f03b119a345085e8774565466917
5601 Upstream-ID: 9300dc354015f7a7368d94a8ff4a4266a69d237e
5612 Upstream-ID: 8b8e7b02a448cf5e5635979df2d83028f58868a7
5624 Upstream-ID: 1b60586b484b55a947d99a0b32bd25e0ced56fae
5632 Remove NULL-checks before sshkey_free().
5636 Upstream-ID: 3e35afe8a25e021216696b5d6cde7f5d2e5e3f52
5646 null-ptr.net.
5648 Upstream-ID: b0c6b4cd2cdb01d7e9eefbffdc522e35b5bc4acc
5656 - remove configure --with-rsh, because this option isn't supported anymore
5657 - replace last occurrence of BuildPreReq by BuildRequires
5658 - update grep statement to query the krb5 include directory
5666 Allow --without-ssl-engine with --without-openssl
5674 Include openssl crypto.h for SSLeay.
5682 Add sys/time.h for gettimeofday.
5695 Upstream-ID: 7454a0affeab772398052954c79300aa82077093
5708 Upstream-ID: 56c955106cbddba86c3dd9bbf786ac0d1b361492
5716 Remove NULL-checks before free().
5720 Upstream-ID: e3d3cb1ce900179906af36517b5eea0fb15e6ef8
5730 Upstream-ID: ec364c5af32031f013001fd28d1bd3dfacfe9a72
5738 stricter encoding type checks for ssh-rsa; ok djm@
5740 Upstream-ID: 8cca7c787599a5e8391e184d0b4f36fdc3665650
5756 basic unit tests for rsa-sha2-* signature types
5758 Upstream-Regress-ID: 7dc4b9db809d578ff104d591b4d86560c3598d3c
5766 prefer rsa-sha2-512 over -256 for hostkeys, too; noticed
5769 Upstream-ID: 685f55f7ec566a8caca587750672723a0faf3ffe
5777 Properly handle invalid %-format by calling fatal.
5781 Upstream-ID: 5692bce7d9f6eaa9c488cb93d3b55e758bef1eac
5789 implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
5790 (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
5791 draft-ssh-ext-info-04.txt; with & ok djm@
5793 Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
5801 clean up agent_fd handling; properly initialise it to -1
5806 Upstream-ID: ac9554323d5065745caf17b5e37cb0f0d4825707
5814 pledges ssh client: - mux client: which is used when
5818 - client loop: several levels of pledging depending of your used options
5822 Upstream-ID: 21676155a700e51f2ce911e33538e92a2cd1d94b
5830 Add "cpath" to the ssh-agent pledge so the cleanup
5835 Upstream-ID: 9e632991d48241d56db645602d381253a3d8c29d
5843 ssh-agent pledge needs proc for askpass; spotted by todd@
5845 Upstream-ID: 349aa261b29cc0e7de47ef56167769c432630b2a
5853 basic pledge() for ssh-agent, more refinement needed
5855 Upstream-ID: 5b5b03c88162fce549e45e1b6dd833f20bbb5e13
5861 Revert "stub for pledge(2) for systems that lack it"
5879 stub for pledge(2) for systems that lack it
5889 Upstream-ID: 3e00f6ccfe2b9a7a2d1dbba5409586180801488f
5897 do not leak temp file if there is no known_hosts file
5900 Upstream-ID: c820497fd5574844c782e79405c55860f170e426
5916 don't include port number in tcpip-forward replies for
5920 Upstream-ID: 77efad818addb61ec638b5a2362f1554e21a970a
5929 except for the -p option (which sadly has insane semantics...) ok semarie
5932 Upstream-ID: 8854bbd58279abe00f6c33f8094bdc02c8c65059
5940 allow comment change for all supported formats
5944 Upstream-ID: 5fc477cf2f119b2d44aa9c683af16cb00bb3744b
5952 add cast to make -Werror clean
5954 Upstream-ID: 288db4f8f810bd475be01320c198250a04ff064d
5970 ban ConnectionAttempts=0, it makes no sense and would cause
5974 Upstream-ID: 32b5134c608270583a90b93a07b3feb3cbd5f7d5
5984 Upstream-ID: 31fe0ad7c4d08e87f1d69c79372f5e3c5cd79051
5994 Upstream-ID: 39354cdd8a2b32b308fd03f98645f877f540f00d
6005 Upstream-ID: f05f7c78fab20d02ff1d5ceeda533ef52e8fe523
6013 fix "ssh-keygen -l" of private key, broken in support for
6016 Upstream-ID: 6b3132d2c62d03d0bad6f2bcd7e2d8b7dab5cd9d
6027 Upstream-ID: 33837d767a0cf1db1489b96055f9e330bc0bab6d
6035 Allow fingerprinting from standard input "ssh-keygen -lf
6036 -"
6043 Upstream-ID: 903f8b4502929d6ccf53509e4e07eae084574b77
6055 Upstream-ID: c8a6d0d56c42f3faab38460dc917ca0d1705d383
6063 improve sshkey_read() semantics; only update *cpp when a
6066 Upstream-ID: f371e78e8f4fab366cf69a42bdecedaed5d1b089
6074 1) Use xcalloc() instead of xmalloc() to check for
6076 just before the for loop. (suggested by djm@)
6080 Upstream-ID: 013534c308187284756c3141f11d2c0f33c47213
6089 includes all current and future key restrictions (no-*-forwarding, etc). Also
6090 add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty".
6092 maximally-restricted, regardless of any permissions we might implement in the
6097 restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1...
6101 Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0
6109 correct section number for ssh-agent;
6111 Upstream-ID: 44be72fd8bcc167635c49b357b1beea8d5674bd6
6121 Upstream-ID: 1470fce171c47b60bbc7ecd0fc717a442c2cfe65
6130 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a
6131 private key that is used during authentication will be added to ssh-agent if
6138 Upstream-ID: a680db2248e8064ec55f8be72d539458c987d5f4
6149 Upstream-ID: 2b3abdff344d53c8d505f45c83a7b12e84935786
6157 Support "none" as an argument for sshd_config
6161 Upstream-ID: 7ef478d6592bc7db5c7376fc33b4443e63dccfa5
6170 reading from standard input (using "-f -") for "ssh-keygen -L"; ok dtucker@
6172 Upstream-ID: ecbadeeef3926e5be6281689b7250a32a80e88db
6183 Upstream-ID: e4d03f39d254db4c0cc54101921bb89fbda19879
6194 Upstream-ID: 9a1889e19647615ededbbabab89064843ba92d3e
6202 remove prototypes for long-gone s/key support; ok
6205 Upstream-ID: db5bed3c57118af986490ab23d399df807359a79
6230 -c before -H, in SYNOPSIS and usage();
6232 Upstream-ID: 25e8c58a69e1f37fcd54ac2cd1699370acb5e404
6240 Add "ssh-keyscan -c ..." flag to allow fetching
6243 Upstream-ID: 0947e2177dba92339eced9e49d3c5bf7dda69f82
6253 Upstream-ID: 39ba08548acde4c54f2d4520c202c2a863a3c730
6264 Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
6277 Upstream-ID: 8b46bc94cf1ca7c8c1a75b1c958b2bb38d7579c8
6285 "commandline" -> "command line", since there are so few
6291 Upstream-ID: 78459d59bff74223f8139d9001ccd56fc4310659
6309 regress test for "PubkeyAcceptedKeyTypes +..." inside a
6312 Upstream-Regress-ID: 246c37ed64a2e5704d4c158ccdca1ff700e10647
6320 Fix typo certopt->certopts in shell variable. This would
6321 cause the test to hang at a host key prompt if you have an A or CNAME for
6324 Upstream-Regress-ID: 6ea03bcd39443a83c89e2c5606392ceb9585836a
6335 Upstream-ID: 853662c4036730b966aab77684390c47b9738c69
6344 for -portable; ok dtucker@
6346 Upstream-ID: 5902bf0ea0371f39f1300698dc3b8e4105fc0fc5
6357 Upstream-ID: dfc48b417c320b97c36ff351d303c142f2186288
6365 avoid de-const warning & shrink; ok dtucker@
6367 Upstream-ID: 69a85ef94832378952a22c172009cbf52aaa11db
6375 Expand tildes in filenames passed to -i before checking
6380 Upstream-ID: db1757178a14ac519e9a3e1a2dbd21113cb3bfc6
6389 exec" in a config file. It's an unnecessary optimization from repurposed
6393 Upstream-ID: a1ead25ae336bfa15fb58d8c6b5589f85b4c33a3
6402 names for the symbols. This prevents name collisions with the system glob
6414 Upstream-Regress-ID: 0004f0ea93428969fe75bcfff0d521c553977794
6422 fix keyscan output for multiple hosts/addrs on one line
6425 Upstream-ID: 5321dabfaeceba343da3c8a8b5754c6f4a0a307b
6438 Upstream-ID: 86783c1953da426dff5b03b03ce46e699d9e5431
6447 tun-forwarding. Adapted from portable (using separate devices for this is the
6450 Upstream-ID: 90facf4c59ce73d6741db1bc926e578ef465cd39
6460 Upstream-ID: dd2f402b0a0029b755df029fc7f0679e1365ce35
6472 Upstream-ID: 21616cfea27eda65a06e772cc887530b9a1a27f8
6480 Replace a function-local allocation with stack memory.
6484 Upstream-ID: c09fbbab637053a2ab9f33ca142b4e20a4c5a17e
6490 turn off PrintLastLog when --disable-lastlog
6501 diffie-hellman-group-exchange to 2048 bits; ok markus@
6503 Upstream-ID: 06dce7a24c17b999a0f5fadfe95de1ed6a1a9b6a
6512 hostname canonicalisation - treat them as already canonical and remove the
6515 Upstream-ID: f7619652e074ac3febe8363f19622aa4853b679a
6523 0 -> NULL when comparing with a char*.
6527 Upstream-ID: a928e9c21c0a9020727d99738ff64027c1272300
6538 Upstream-ID: 78cd55420a0eef68c4095bdfddd1af84afe5f95c
6549 Upstream-ID: 0111245b1641d387977a9b38da15916820a5fd1f
6561 Date: Thu Oct 15 15:48:28 2015 -0700
6567 Date: Wed Oct 14 09:22:15 2015 -0700
6578 …date: 2015/10/13 20:55:37; author: millert; state: Exp; lines: +2 -2; commitid: X39sl5ay1czgFI…
6591 …date: 2015/01/16 16:48:51; author: deraadt; state: Exp; lines: +3 -3; commitid: 0DYulI8hhujBHM…
6602 … date: 2014/10/19 03:56:28; author: doug; state: Exp; lines: +9 -9; commitid: U6QxmtbXrGoc02S5;
6612 …date: 2014/10/18 20:43:52; author: doug; state: Exp; lines: +10 -10; commitid: I74hI1tVZtsspKE…
6627 date: 2013/04/05 12:59:54; author: kurt; state: Exp; lines: +3 -1;
6628 - Add comments regarding copies of these files also in libexec/ld.so
6638 date: 2012/09/13 15:39:05; author: deraadt; state: Exp; lines: +2 -2;
6650 date: 2011/07/24 21:03:00; author: miod; state: Exp; lines: +35 -13;
6652 is NULL, and third-party software is starting to rely upon this.
6653 Adapted from FreeBSD via Jona Joachim (jaj ; hcl-club , .lu), with minor
6665 Upstream-ID: ba4f52f54268a421a2a5f98bb375403f4cb044b8
6676 Upstream-ID: c260d9e5ec73628d9ff4b067fbb060eff5a7d298
6686 Upstream-ID: 17e654fc27ceaf523c60f4ffd9ec7ae4e7efc7f2
6694 OpenBSD only for now
6702 include PubkeyAcceptedKeyTypes in ssh -G config dump
6704 Upstream-ID: 6c097ce6ffebf6fe393fb7988b5d152a5d6b36bb
6716 Upstream-ID: bff136c38bcae89df82e044d2f42de21e1ad914f
6725 what we need; makes it possible to use tun/tap networking as non- root user
6726 if device permissions and interface flags are pre-established; based on patch
6729 Upstream-ID: 89099ac4634cd477b066865acf54cb230780fd21
6733 Date: Mon Oct 5 18:33:05 2015 -0700
6746 Upstream-Regress-ID: 5c0d818da511e33e0abf6a92a31bd7163b7ad988
6754 fix command-line option to match what was actually
6757 Upstream-Regress-ID: 3e8c24a2044e8afd37e7ce17b69002ca817ac699
6765 regress test for CertificateFile; patch from Meghana Bhat
6768 Upstream-Regress-ID: e7a6e980cbe0f8081ba2e83de40d06c17be8bd25
6776 some more bzero->explicit_bzero, from Michael McConville
6778 Upstream-ID: 17f19545685c33327db2efdc357c1c9225ff00d0
6788 Upstream-ID: 72150f2d54b94de14ebef1ea054ef974281bf834
6798 Upstream-ID: 4ca24e47895e72f5daaa02f3e3d3e5ca2d820fa3
6806 re-order system calls in order of risk, ok i'll be
6809 Upstream-ID: 42a1e6d251fd8be13c8262bee026059ae6328813
6819 Upstream-ID: 0e5a7852c28c05fc193419cc7e50e64c1c535af0
6830 Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
6840 Upstream-ID: 424402c0d8863a11b51749bacd7f8d932083b709
6851 Upstream-ID: f7afd41810f8540f524284f1be6b970859f94fe3
6862 Upstream-Regress-ID: be2b925df89360dff36f972951fa0fa793769038
6873 Upstream-Regress-ID: 188cb7d9031cdbac3a0fa58b428b8fa2b2482bba
6881 - Fix error message: passphrase needs to be at least 5
6882 characters, not 4. - Remove unused function argument. - Remove two
6887 Upstream-ID: 13010c05bfa8b523da1c0dc19e81dd180662bc30
6896 of keys for which the user is prompted for a passphrase.
6900 Upstream-ID: dc737c620a5a8d282cc4f66e3b9b624e9abefbec
6913 Upstream-ID: 2e3337db046c3fe70c7369ee31515ac73ec00f50
6921 sync -Q in usage() to SYNOPSIS; since it's drastically
6925 Upstream-ID: 86e2c65c3989a0777a6258a77e589b9f6f354abd
6935 Upstream-ID: f29b3cfcfd9aa31fa140c393e7bd48c1c74139d6
6945 Upstream-ID: 9e85aefaecfb6aaf34c7cfd0700cd21783a35675
6957 Upstream-ID: 2ba8d303e555a84e2f2165ab4b324b41e80ab925
6965 mention -Q key-plain and -Q key-cert; bz#2455 pointed out
6968 Upstream-ID: c8f1f8169332e4fa73ac96b0043e3b84e01d4896
6974 Use ssh-keygen -A when generating host keys.
6976 Use ssh-keygen -A instead of per-keytype invocations when generating host
6977 keys. Add tests when doing host-key-force since we can't use ssh-keygen -A
6984 Correct default value for --with-ssh1.
6986 bz#2457, from konto-mindrot.org at walimnieto.com.
6997 Upstream-ID: 78ab87f069080f0cc3bc353bb04eddd9e8ad3704
7009 Upstream-ID: b6e794b0c7fc4f9f329509263c8668d35f83ea55
7020 Upstream-ID: 5b84d0401e27fe1614c10997010cc55933adb48e
7026 Force resolution of _res for correct detection.
7044 Upstream-ID: 99d098287767799ac33d2442a05b5053fa5a551a
7053 where ssh could previously silently hang for a while. bz#2433
7055 Upstream-ID: 52a1a3e0748db66518e7598352c427145692a6a0
7065 Upstream-ID: 92fb2798617ad9561370897f4ab60adef2ff4c0e
7076 Upstream-ID: a126209b5a6d9cb3117ac7ab5bc63d284538bfc2
7085 keys in test for multiple authentication with the same key
7087 Upstream-ID: 26b368fa2cff481f47f37e01b8da1ae5b57b1adc
7095 remove extra newline in nethack-mode hostkey; from
7098 Upstream-ID: 4f56368b1cc47baeea0531912186f66007fd5b92
7108 Upstream-Regress-ID: a4e64e8931e40d23874b047074444eff919cdfe6
7121 Upstream-ID: 5fc35c9fc0319cc6fca243632662d2f06b5fd840
7127 don't check for yp_match; ok tim@
7140 Upstream-ID: 8db921b3f92a4565271b1c1fbce6e7f508e1a2cb
7148 Fix printing (ssh -G ...) of HostKeyAlgorithms=+...
7151 Upstream-ID: 19ad20c41bd5971e006289b6f9af829dd46c1293
7163 Upstream-ID: 70ca1deea39d758ba36d36428ae832e28566f78d
7174 Upstream-ID: 899b021be43b913fad3eca1aef44efe710c53e29
7180 expose POLLHUP and POLLNVAL for netcat.c
7186 we don't use Github for issues/pull-requests
7192 fix URL for connect.c
7198 update version numbers for 7.1
7206 openssh-7.1
7208 Upstream-ID: ff7b1ef4b06caddfb45e08ba998128c88be3d73f
7219 Upstream-ID: 260dd6a904c1bb7e43267e394b1c9cf70bdd5ea5
7230 Upstream-ID: 5e50ded78cadf3841556649a16cc4b1cb6c58667
7239 "host_key" and "user_key" for the respective key types. ok sthen@ deraadt@
7241 Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb
7249 Better compat matching for WinSCP, add compat matching
7250 for FuTTY (fork of PuTTY); ok markus@ deraadt@
7252 Upstream-ID: 24001d1ac115fa3260fbdc329a4b9aeb283c5389
7260 fix double-free() in error path of DSA key generation
7263 Upstream-ID: 4735d8f888b10599a935fa1b374787089116713c
7274 Upstream-ID: 519552b050618501a06b7b023de5cb104e2c5663
7285 Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109
7298 Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67
7306 add prohibit-password as a synonymn for without-password,
7307 since the without-password is causing too many questions. Harden it to ban
7311 Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
7331 Avoids use-after-free in monitor when privsep child is compromised.
7352 let principals-command.sh work for noexec /var/run
7358 work around echo -n / sed behaviour in tests
7366 adjust for RSA minimum modulus switch; ok deraadt@
7368 Upstream-Regress-ID: 5a72c83431b96224d583c573ca281cd3a3ebfdae
7376 backout SSH_RSA_MINIMUM_MODULUS_SIZE increase for this
7379 Upstream-ID: d0bd60dde9e8c3cd7030007680371894c1499822
7389 Upstream-ID: c63afdef537f57f28ae84145c5a8e29e9250221f
7397 Allow PermitRootLogin to be overridden by config
7401 Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4
7412 Upstream-ID: 40ff076d2878b916fbfd8e4f45dbe5bec019e550
7420 change default: PermitRootLogin without-password matching
7423 Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
7429 downgrade OOM adjustment logging: verbose -> debug
7443 Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
7451 fix bug in previous; was printing incorrect string for
7454 Upstream-ID: 22c0dc6bc61930513065d92e11f0753adc4c6e6e
7465 Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796
7476 Upstream-ID: c9eadde28ecec056c73d09ee10ba4570dfba7e84
7489 Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413
7497 Move .Pp before .Bl, not after to quiet mandoc -Tlint.
7500 Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23
7510 Upstream-ID: 7a321a170181a54f6450deabaccb6ef60cf3f0b7
7521 Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d
7527 make realpath.c compile -Wsign-compare clean
7535 mention that the default of UseDNS=no implies that
7536 hostnames cannot be used for host matching in sshd_config and
7539 Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1
7550 Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485
7561 Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29
7569 only query each keyboard-interactive device once per
7572 Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
7580 remove -u flag to diff (only used for error output) to make
7581 things easier for -portable
7583 Upstream-Regress-ID: a5d6777d2909540d87afec3039d9bb2414ade548
7591 direct-streamlocal@openssh.com Unix domain foward
7592 messages do not contain a "reserved for future use" field and in fact,
7596 Upstream-ID: 3d51a19e64f72f764682f1b08f35a8aa810a43ac
7604 describe magic for setting up Unix domain socket fowards
7607 Upstream-ID: 943080fe3864715c423bdeb7c920bb30c4eee861
7615 On some platforms the native realpath doesn't work with non-existent
7620 In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines
7632 fix incorrect test for SSH1 keys when compiled without SSH1
7635 Upstream-ID: 6004d720345b8e481c405e8ad05ce2271726e451
7643 fix NULL-deref when SSH1 reenabled
7645 Upstream-ID: f22fd805288c92b3e9646782d15b48894b2d5295
7656 Upstream-Regress-ID: 7ccf437305dd63ff0b48dd50c5fd0f4d4230c10a
7667 Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c
7677 Upstream-Regress-ID: 3495ecb082b9a7c048a2d7c5c845d3bf181d25a4
7687 Upstream-Regress-ID: a4b30afd174ce82b96df14eb49fb0b81398ffd0e
7698 Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12
7708 Upstream-Regress-ID: f8812b16668ba78e6a698646b2a652b90b653397
7718 Upstream-Regress-ID: 6c4f763a2f0cc6893bf33983919e9030ae638333
7727 offer DH-GEX. This was the string that was used for development versions
7728 prior to September 2014 and they don't do RFC4419 DH-GEX, but unfortunately
7732 Upstream-ID: be34d41e18b966832fe09ca243d275b81882e1d5
7744 Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
7752 re-enable ed25519-certs if compiled w/o openssl; ok djm
7754 Upstream-ID: e10c90808b001fd2c7a93778418e9b318f5c4c49
7762 no need to include the old buffer/key API
7764 Upstream-ID: fb13c9f7c0bba2545f3eb0a0e69cb0030819f52b
7772 typedefs for Cipher&CipherContext are unused
7774 Upstream-ID: 50e6a18ee92221d23ad173a96d5b6c42207cf9a7
7784 Upstream-ID: afb532355b7fa7135a60d944ca1e644d1d63cb58
7794 Upstream-ID: 174fa7faa9b9643cba06164b5e498591356fbced
7805 Upstream-ID: 9d8826cafe96aab4ae8e2f6fd22800874b7ffef1
7813 add an XXX reminder for getting correct key paths from
7816 Upstream-ID: feae52b209d7782ad742df04a4260e9fe41741db
7827 Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
7835 turn off 1024 bit diffie-hellman-group1-sha1 key
7839 Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa
7847 delete support for legacy v00 certificates; "sure"
7850 Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
7858 Compile-time disable SSH v.1 again
7860 Upstream-ID: 1d4b513a3a06232f02650b73bad25100d1b800af
7870 Upstream-ID: 2bd23976305d0512e9f84d054e1fc23cd70b89f2
7878 twiddle; (this commit marks the openssh-6.9 release)
7880 Upstream-ID: 78500582819f61dd8adee36ec5cc9b9ac9351234
7888 better refuse ForwardX11Trusted=no connections attempted
7891 Upstream-ID: bf0fddadc1b46a0334e26c080038313b4b6dea21
7899 put back default PermitRootLogin=no
7901 Upstream-ID: 7bdedd5cead99c57ed5571f3b6b7840922d5f728
7909 openssh-6.9
7911 Upstream-ID: 6cfe8e1904812531080e6ab6e752d7001b5b2d45
7919 reset default PermitRootLogin to 'yes' (momentarily, for
7922 Upstream-ID: cad8513527066e65dd7a1c16363d6903e8cefa24
7928 crank version numbers for release
7934 s/--with-ssh1/--without-ssh1/
7945 Upstream-ID: ead397a9aceb3bf74ebfa5fcaf259d72e569f351
7954 eventual stalls for datagram channels. Reported by Georg Wicherski, ok
7957 Upstream-ID: be54059d11bf64e0d85061f7257f53067842e2ab
7963 skip IPv6-related portions on hosts without IPv6
7977 Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
7985 Fix \-escaping bug that caused forward path parsing to skip
7990 Upstream-ID: 7b879dc446335677cbe4cb549495636a0535f3bd
8008 Upstream-ID: 5f7347f40f0ca6abdaca2edb3bd62f4776518933
8022 Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
8036 Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
8048 Upstream-ID: eb74b8e506714d0f649bd5c300f762a527af04a3
8056 Don't call setgroups if we have zero groups; there's no
8060 Upstream-ID: 2fff85e11d7a9a387ef7fddf41fbfaf566708ab1
8079 same logic to determine if pw->pw_name should be passed, as is used to
8084 Upstream-ID: 43b42302ec846b0ea68aceb40677245391b9409d
8094 sshkey_cert * and dereferencing key->cert in the caller.
8096 No functional change.
8100 Upstream-ID: 533f99b844b21b47342b32b62e198dfffcf8651c
8106 trivial optimisation for seccomp-bpf
8116 aarch64 support for seccomp-bpf sandbox
8129 Upstream-ID: e61bb93dbe0349625807b0810bc213a6822121fa
8133 Date: Tue Jun 9 22:41:13 2015 -0700
8135 Fix t12 rules for out of tree builds.
8143 For "ssh -L 12345:/tmp/sock" don't fail with "No forward host
8147 Upstream-ID: 2846b0a8c7de037e33657f95afbd282837fc213f
8157 Upstream-ID: 45e620d99f6bc301e5949d34a54027374991c88b
8166 update config.guess and friends shortly after the release. ok djm@
8171 Date: Wed Jun 3 21:43:13 2015 -0700
8177 Date: Wed Jun 3 21:41:11 2015 -0700
8196 Upstream-ID: fd44b68440fd0dc29abf9f2d3f703d74a2396cb7
8222 re-enable SSH protocol 1 at compile time
8232 Upstream-Regress-ID: bca88217b70bce2fe52b23b8e06bdeb82d98c715
8240 wrap all moduli-related code in #ifdef WITH_OPENSSL.
8243 Upstream-ID: d80cfc8be3e6ec65b3fac9e87c4466533b31b7cf
8255 Upstream-ID: a9e97567be49f25daf286721450968251ff78397
8263 Fix typo (keywork->keyword)
8265 Upstream-ID: 8aacd0f4089c0a244cf43417f4f9045dfaeab534
8275 Upstream-ID: cbcc606e0b748520c74a210d8f3cc9718d3148cf
8283 make ssh-keygen default to ed25519 keys when compiled
8286 Upstream-ID: 85a471fa6d3fa57a7b8e882d22cfbfc1d84cdc71
8295 diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
8297 Upstream-ID: 552c08d47347c3ee1a9a57d88441ab50abe17058
8309 Upstream-ID: b635215746a25a829d117673d5e5a76d4baee7f4
8326 bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@
8328 Upstream-ID: 504568992b55a8fc984375242b1bd505ced61b0d
8336 Cap DH-GEX group size at 4kbits for Cisco implementations.
8337 Some of them will choke when asked for preferred sizes >4k instead of
8340 Upstream-ID: 54b863a19713446b7431f9d06ad0532b4fcfef8d
8351 Upstream-ID: 9b19b4e2e0b54d6fefa0dfac707c51cf4bae3081
8361 Upstream-ID: bc1da0f205494944918533d8780fde65dff6c598
8369 mention ssh-keygen -E for comparing legacy MD5
8372 Upstream-ID: 079a3669549041dbf10dbc072d9563f0dc3b2859
8380 Reorder EscapeChar option parsing to avoid a single-byte
8381 out- of-bounds read. bz#2396 from Jaak Ristioja; ok dtucker@
8383 Upstream-ID: 1dc6b5b63d1c8d9a88619da0b27ade461d79b060
8391 add knob to relax GSSAPI host credential check for
8395 Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
8401 Include signal.h for sig_atomic_t, used by kex.h.
8417 Support "ssh-keygen -lF hostname" to find search known_hosts
8418 and print key hashes. Already advertised by ssh-keygen(1), but not delivered
8421 Upstream-ID: 459e0e2bf39825e41b0811c336db2d56a1c23387
8435 regress test for AuthorizedPrincipalsCommand
8437 Upstream-Regress-ID: c658fbf1ab6b6011dc83b73402322e396f1e1219
8445 regress test for AuthorizedKeysCommand arguments
8447 Upstream-Regress-ID: bbd65c13c6b3be9a442ec115800bff9625898f12
8461 Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
8474 Upstream-ID: b080387a14aa67dddd8ece67c00f268d626541f7
8485 Upstream-ID: 54fc38f5832e9b91028900819bda46c3959a0c1a
8494 enough. openssh-portable may want the #ifdef's but not base. discussed with
8497 Upstream-ID: 0506a4334de108e3fb6c66f8d6e0f9c112866926
8506 text and do constant-time comparisons of it. Should prevent leaking any
8508 incrementing delay for each failed unlock attempt up to 10s. ok markus@
8511 Upstream-ID: c599fcc325aa1cc65496b25220b622d22208c85f
8519 - tedu@cvs.openbsd.org 2015/01/12 03:20:04
8530 - deraadt@cvs.openbsd.org 2015/01/08 00:30:07
8540 - djm@cvs.openbsd.org 2014/12/30 01:41:43
8551 only ever use it for strlen(pattern).
8553 Prompted by hanno AT hboeck.de pointing an out-of-bound read
8607 reduce stderr spam when using ssh -S /path/mux -O forward
8608 -R 0:... ok dtucker@
8627 option conditional on PermitUserEnv - always parse it, but only use the
8640 only ever use it for strlen(pattern).
8642 Prompted by hanno AT hboeck.de pointing an out-of-bound read
8654 Add a simple regression test for sshd's configuration
8655 parser. Right now, all it does is run the output of sshd -T back through
8664 use correct key for nested certificate test
8673 for commands too; bz#1459 ok dtucker@
8683 Upstream-Regress-ID: 6b708a3e709d5b7fd37890f874bafdff1f597519
8693 Upstream-Regress-ID: 9c48911643d5b05173b36a012041bed4080b8554
8703 Upstream-ID: 64eaf872a3ba52ed41e494287e80d40aaba4b515
8713 Upstream-ID: 57bcf67d666c6fc1ad798aee448fdc3f70f7ec2c
8729 Use diff w/out -u for better portability
8737 Use xcalloc for permitted_adm_opens instead of xmalloc to
8738 ensure it's zeroed. Fixes post-auth crash with permitopen=none. bz#2355, ok
8747 don't choke on new-format private keys encrypted with an
8756 Clarify pseudo-terminal request behaviour and use
8757 "pseudo-terminal" consistently. bz#1716, ok jmc@ "I like it" deraadt@.
8765 Blacklist DH-GEX for specific PuTTY versions known to
8766 send non-RFC4419 DH-GEX messages rather than all versions of PuTTY.
8767 According to Simon Tatham, 0.65 and newer versions will send RFC4419 DH-GEX
8776 WinSCP doesn't implement RFC4419 DH-GEX so flag it so we
8788 This file is only used if ssh is built with OPENSSL=no
8798 This might help with the reported problem cross compiling for Android
8806 xrealloc -> xreallocarray in portable code too.
8815 order. bz#68, ok djm@, jmc@ (for the man page bit).
8823 enviroment -> environment: apologies to darren for not
8850 Make sshd default to PermitRootLogin=no; ok deraadt@
8859 fix compilation with OPENSSL=no; ok dtucker@
8867 Include stdio.h for FILE (used in sshkey.h) so it
8868 compiles with OPENSSL=no.
8876 allow "sshd -f none" to skip reading the config file,
8877 much like "ssh -F none" does. ok dtucker
8885 combine -Dd onto one line and update usage();
8893 add ssh-agent -D to leave ssh-agent in foreground
8902 2*len -> use xreallocarray() ok djm
8919 Two small fixes for sshd -T: ListenAddress'es are added
8930 Check for and reject missing arguments for
8940 unknown certificate extensions are non-fatal, so don't
8961 s/recommended/required/ that private keys be og-r this
8981 stderr and a few non-errors that were going to stderr instead of stdout
9008 Add some missing options to sshd -T and fix the output
9018 Document "none" for PidFile XAuthLocation
9043 Format UsePAM setting when using sshd -T.
9057 Look for '${host}-ar' before 'ar'.
9059 This changes configure.ac to look for '${host}-ar' as set by
9060 AC_CANONICAL_HOST before looking for the unprefixed 'ar'.
9061 Useful when cross-compiling when all your binutils are prefixed.
9090 deprecate ancient, pre-RFC4419 and undocumented
9101 (hostkeys-00@openssh.com) to current versions of Tera Term as they can't
9111 include port number if a non-default one has been
9129 Do not use int for sig_atomic_t; spotted by
9136 Use do{}while(0) for no-op functions.
9179 use ${SSH} for -Q instead of installed ssh
9195 downgrade error() for known_hosts parse errors to debug()
9208 fd leak for !ssh1 case; found by unittests; ok markus@
9225 Comments are only supported for RSA1 keys. If a user
9237 ssh-askpass(1) is the default, overridden by SSH_ASKPASS;
9246 fix uninitialised memory read when parsing a config file
9274 ban all-zero curve25519 keys as recommended by latest
9284 diffie-hellman-group1-sha1 key exchange to complete for chacha20-poly1305 was
9293 ignore v1 errors on ssh-add -D; only try v2 keys on
9294 -l/-L (unless WITH_SSH1) ok djm@
9319 consistent check for NULL as noted by Nicholas
9328 correct fmt-string for size_t as noted by Nicholas
9337 promote chacha20-poly1305@openssh.com to be the default
9346 Compile-time disable SSH protocol 1. You can turn it
9356 fix double-negative error message "ssh1 is not
9365 for ssh-keygen -A, don't try (and fail) to generate ssh
9384 #if 0 some more arrays used only for decrypting (we don't
9385 use since we only need encrypt for AES-CTR)