| Age | Commit message (Collapse) | Author |
|---|
|
destination. This allows, eg, keeping host keys in individual files
using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k".
bz#1654, ok djm@, jmc@ (man page bits)
|
|
allowing the file to be automagically split up in the configuration
(eg bz#1654). ok djm@, man page parts jmc@
|
|
|
|
don't leave an empty .ssh directory when it's not needed. Use the same
function to replace the code in ssh-keygen that does the same thing.
bz#3156, ok djm@
|
|
(very quickly replaced by OpenSSL) not SSL in general. ok deraadt,
historical context markus@
|
|
variables on the client side. The supported keywords are
CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus
LocalForward and RemoteForward when used for Unix domain socket
paths. This would for example allow forwarding of Unix domain
socket paths that change at runtime. bz#3140, ok djm@
|
|
for Unix domain socket forwarding. Factor out the code for the config
keywords that use the most common subset of TOKENS into its own function.
bz#3014, ok jmc@ (man page bits) djm@
|
|
|
|
|
|
earlier had an off-by-one. Fix this and add some debugging that would
have made it apparent sooner.
|
|
connection when ExitOnForwardFailure is enabled; bz3116; ok dtucker
|
|
- %C is moved into its own function and added to Match Exec.
- move the common (global) options into a macro. This is ugly but it's
the least-ugly way I could come up with.
- move IdentityAgent and ForwardAgent percent expansion to before the
config dump to make it regression-testable.
- document all of the above
ok jmc@ for man page bits, "makes things less terrible" djm@ for the rest.
|
|
|
|
bz#3057, ok djm@
|
|
ssh_config(5) and sshd_config(5) algorithm keywords as an alias for the
corresponding query. Man page help jmc@, ok djm@.
|
|
This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
|
"work for me" matthieu@
|
|
|
|
are in use. When updating host keys, ssh will now search subsequent
known_hosts files, but will add new/changed host keys to the first
specified file only. bz#2738
ok markus@
|
|
Extract the key label or X.509 subject string when PKCS#11 keys
are retrieved from the token and plumb this through to places where
it may be used as a comment.
based on https://github.com/openssh/openssh-portable/pull/138
by Danielle Church
feedback and ok markus@
|
|
building without zlib compression and associated options. With feedback
from markus@, ok djm@
|
|
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.
|
|
Issue noticed and reported by Pierre-Olivier Martel <pom@apple.com>
ok dtucker@ markus@ djm@
|
|
$SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment variable
in addition to yes/no.
Patch by Eric Chiang, manpage by me; ok markus@
|
|
|
|
|
|
From Zachary Harmany via github.com/openssh/openssh-portable/pull/118
ok dtucker@
|
|
the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519
Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
-J options on the commandline. bz3015 ok dtucker@
|
|
ok dtucker
|
|
Prepares for changes in the way malloc is initialized. ok guenther@ dtucker@
|
|
Markus Schmidt via openssh-unix-dev, ok markus@
|
|
with & ok markus@
|
|
with & ok markus@
|
|
almost exactly six years ago.
This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.
with & ok markus@
|
|
out the banner exchange. This eliminates some common code from the
client and server.
Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@
|
|
Matches in same pass as "Match canonical" but doesn't require
hostname canonicalisation be enabled. bz#2906 ok markus
|
|
we're old, but we don't have to act it
|
|
names as well as explicit paths. ok dtucker@
|
|
ProxyCommand set with regards to hostname canonicalisation (i.e.
don't try to canonicalise the hostname unless CanonicalizeHostname
is set to 'always').
Patch from Sven Wegener via bz#2896
|
|
erroneously showing certificate algorithms); prompted by markus@
|
|
ok markus@
|
|
original_effective_uid globals and replace with calls to plain getuid().
ok djm@
|
|
instead of calling getpwuid() again and discarding the argument.
This prevents a client crash where tilde_expand_filename calls getpwuid()
again before the pwent pointer is used.
Issue noticed and reported by Pierre-Olivier Martel <pom@apple.com>
ok djm@ deraadt@
|
|
setuid has been removed, remove supporting code and clean up
references to it in the man pages
We have not shipped ssh(1) the setuid bit since 2002. If ayone
really needs to make connections from a low port number this can
be implemented via a small setuid ProxyCommand.
ok markus@ jmc@ djm@
|
|
Do not link uidwap.c into ssh any more. Neuters UsePrivilegedPort,
which will be marked as deprecated shortly. ok markus@ djm@
|
|
now gone and the slot is unused so remove it. Remove two now-unused
macros, and add an array bounds check to the two remaining ones
(array is statically sized, so mostly a safety check on future changes).
ok markus@
|
|
ssh(1) and always use ssh-keysign. This removes one of the few remaining
reasons why ssh(1) might be setuid. ok markus@
|
|
keys, fixing some spurious error messages; ok markus
|
