summaryrefslogtreecommitdiff
path: root/usr.bin/ssh
AgeCommit message (Collapse)Author
2014-03-12scan for Ed25519 keys by default tooChristian Weisgerber
2014-03-12correct test that kdf name is not "none" or "bcrypt"Damien Miller
2014-03-12don't count on things that accept arguments by reference to clearDamien Miller
things for us on error; most things do, but it's unsafe form.
2014-03-12scan for Ed25519 keys by default tooDamien Miller
2014-03-03ignore enviornment variables with embedded '=' or '\0' characters;Damien Miller
spotted by Jann Horn; ok deraadt@
2014-02-28Absolutely do not override base system build features in this file!!Theo de Raadt
Discovered by miod.
2014-02-27openssh-6.6Damien Miller
2014-02-27bz#2184 clarify behaviour of a keyword that appears in multipleDamien Miller
matching Match blocks; ok dtucker@
2014-02-27off by one in range checkDamien Miller
2014-02-27fix unsigned overflow that could lead to reading a short ssh protocolDamien Miller
1 bignum value; found by Ben Hawkes; ok deraadt@
2014-02-26ssh_gssapi_prepare_supported_oids needs GSSAPIMarkus Friedl
2014-02-26don't assume that the socks4 username is \0 terminated;Damien Miller
spotted by Ben Hawkes; ok markus@
2014-02-26bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsepDamien Miller
sandboxing, as running this code in the sandbox can cause violations; ok markus@
2014-02-26bz#2205: avoid early hostname lookups unless canonicalisation is enabled;Damien Miller
ok dtucker@ markus@
2014-02-23reparse ssh_config and ~/.ssh/config if hostname canonicalisation changesDamien Miller
the hostname. This allows users to write configurations that always refer to canonical hostnames, e.g. CanonicalizeHostname yes CanonicalDomains int.example.org example.org CanonicalizeFallbackLocal no Host *.int.example.org Compression off Host *.example.org User djm ok markus@
2014-02-23check for unsigned overflow; not reachable in OpenSSH but others mightDamien Miller
copy our code...
2014-02-22when processing Match blocks, skip 'exec' clauses if previous predicatesDamien Miller
failed to match; ok markus@
2014-02-15avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;Damien Miller
bz#2200, debian#738692 via Colin Watson; ok dtucker@
2014-02-07-Wold-style-declaration is not supported by gcc 3.Miod Vallat
2014-02-07remove some logging that makes ssh debugging output very verbose;Damien Miller
ok markus
2014-02-06in ssh_create_socket(), only do the getaddrinfo for BindAddress whenDamien Miller
BindAddress is actually specified. Fixes regression in 6.5 for UsePrivilegedPort=yes; patch from Corinna Vinschen
2014-02-05tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@Christian Weisgerber
while here, fix ordering in usage(); requested by jmc@
2014-02-04delay lowercasing of hostname until right before hostnameDamien Miller
canonicalisation to unbreak case-sensitive matching of ssh_config; reported by Ike Devolder; ok markus@
2014-02-03fix memory leak; ECDSA_SIG_new() allocates 'r' and 's' for us, unlikeDamien Miller
DSA_SIG_new. Reported by Batz Spear; ok markus@
2014-02-02convert memset of potentially-private data to explicit_bzero()Damien Miller
2014-01-31replace most bzero with explicit_bzero, except a few that cna be memsetTed Unangst
ok djm dtucker
2014-01-30allow shutdown(2) syscall in sandbox - it may be called by packet_close()Damien Miller
from portable
2014-01-29document kbdinteractiveauthentication;Jason McIntyre
requested From: Ross L Richardson dtucker/markus helped explain its workings;
2014-01-29remove experimental, never-enabled JPAKE code; ok markus@Damien Miller
2014-01-29In the experimental, never-enabled JPAKE code: clear returned digest andDamien Miller
length in hash_buffer() for error cases; could lead to memory corruption later if EVP_Digest* fails. Pointed out by Mark Dowd
2014-01-29use kill(0, ...) instead of killpg(0, ...); on most operating systemsDamien Miller
they are equivalent, but SUSv2 describes the latter as having undefined behaviour; from portable; ok dtucker
2014-01-28rename digest.c to digest-openssl.c and add libc variant; ok djm@Markus Friedl
2014-01-28kill some bad Pa;Jason McIntyre
From: Jan Stary
2014-01-27replace openssl MD5 with our ssh_digest_*; ok djm@Markus Friedl
2014-01-27replace openssl HMAC with an implementation based on our ssh_digest_*Markus Friedl
ok and feedback djm@
2014-01-25dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len)Markus Friedl
ok dtucker@, noted by mancha
2014-01-25Add a special case for the DH group size for 3des-cbc, which has anDarren Tucker
effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
2014-01-20memleak; found by Loganaden Velvindron @ AfriNIC; ok markus@Damien Miller
2014-01-19Cast the sizeof to socklen_t so it'll work even if the supplied len isDarren Tucker
negative. Suggested by and ok djm, ok deraadt.
2014-01-19fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocalDamien Miller
2014-01-19Cast socklen_t when comparing to size_t and use socklen_t to iterate overDarren Tucker
the ip options, both to prevent signed/unsigned comparison warnings. Patch from vinschen at redhat via portable openssh, begrudging ok deraadt.
2014-01-18explicitly define USE_PIPES to 1 to prevent redefinition warnings in portableDarren Tucker
on platforms that use pipes for everything.
2014-01-18Remove -Wbounded: it is now the compiler default.Martynas Venckus
2014-01-17fix log message statvfs. ok djmDarren Tucker
2014-01-17remove unused includes. ok djm@Darren Tucker
2014-01-17signed/unsigned comparison warning fix; from portableDamien Miller
2014-01-16openssh-6.5Damien Miller
2014-01-16needless and incorrect cast to size_t can break resumption ofDamien Miller
large download; patch from tobias@
2014-01-12avoid use of OpenSSL BIGNUM type and functions for KEX withDamien Miller
Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
2014-01-10the /etc/ssh/ssh_host_ed25519_key is loaded by default tooDamien Miller