| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Original diff by and OK naddy@
|
|
may modify the string buffer. From Joerg Sonnenberger for DragonFly BSD.
ok millert@
|
|
may modify the string buffer. ok millert@
|
|
sshconnect.c r1.241 from 2013 made it unused; found while reading code.
OK djm
|
|
Stop UpdateHostkeys from automatically removing deprecated keys from
known_hosts files if the same keys exist under a different name or
address to the host that is being connected to.
This avoids UpdateHostkeys from making known_hosts inconsistent in
some cases. For example, multiple host aliases sharing address-based
known_hosts on different lines, or hosts that resolves to multiple
addresses.
ok markus@
|
|
When preparing to update the known_hosts file, fully check both
entries for both the host and the address (if CheckHostIP enabled)
and ensure that, at the end of the operation, entries for both are
recorded.
Make sure this works with HashKnownHosts too, which requires maintaining
a list of entry-types seen across the whole file for each key.
ok markus@
|
|
Disable UpdateHostkeys if the known_hosts line has more than two
entries in the pattern-list. ssh(1) only writes "host" or "host,ip"
lines so anything else was added by a different tool or by a human.
ok markus@
|
|
OK jmc@ nicm@, agreement from schwarze@
|
|
|
|
doas(1) unconditionally logs all executions but syslog.conf(5) provides no
means to filter messages by user, target or command.
Add the "nolog" option to doas.conf(5) such that syslog becomes an opt-out
feature; this keeps configuration simple enough yet powerful since rule
definition is the best place to decide whether to log commands or not on a
per rule basis - this also aoids duplicating information or logic in any
other log processing tool.
OK tedu martijn
|
|
In case "cmd" (and "args") in doas.conf(5) mismatch, the log syslog(3)
message might be read as if the command was executed but failed, i.e.
returned non-zero.
Be unambiguous and help admins spot execution *attempts* as such:
-Oct 9 01:05:20 eru doas: failed command for kn: echo bar
+Oct 9 01:05:20 eru doas: command not permitted for kn: echo bar
OK tedu deraadt
|
|
ok inoguchi@ tb@ deraadt@
|
|
spotted by naddy@
|
|
|
|
|
|
If host key checking fails (i.e. a wrong host key is recorded for the
server) and the user elects to continue (via StrictHostKeyChecking=no),
then disable UpdateHostkeys for the session.
reminded by Mark D. Baushke; ok markus@
|
|
When all of UpdateHostkeys, HashKnownHosts and ChechHostIP
were enabled and new host keys were learned, known_hosts IP
entries were not being recorded for new host keys.
reported by matthieu@ ok markus@
|
|
GlobalKnownHostsFile file, support only UserKnownHostsFile matches
suggested by Mark D. Baushke; feedback and ok markus@
|
|
(commitid VtF8vozGOF8DMKVg). We now do this a simpler way that
needs less plumbing.
ok markus@
|
|
authenticated the host; simpler than the complicated plumbing via
kex->flags we have now.
ok markus@
|
|
suggested by Mark D. Baushke
|
|
|
|
instead of modiyfing the format tree.
Use this to disable nested job expansion so that the result of #() is
not expanded again. Reported by Chas J Owens IV, GitHub issue 2390.
|
|
|
|
|
|
"Mike" in GitHub issue 2392.
|
|
|
|
key subtype; ok markus@
|
|
platforms instead of being limited by LONG_MAX. bz#3206, found by
booking00 at sina.cn, ok markus@
|
|
and/or stderr to /dev/null. Factor all these out to a single
stdfd_devnull() function that allows selection of which of these
to redirect. ok markus@
|
|
overridden UserKnownHostsFile;
ok markus@ "The timing is perfect" deraadt@
|
|
encountered or when a certificate host key is in use.
feedback/ok markus@
|
|
key to a plain key. This occurs when the user connects to a host with
a certificate host key but no corresponding CA key configured in
known_hosts; feedback and ok markus@
|
|
|
|
|
|
issue, which cannot be fully fixed and really requires completely
replacing scp with a completely different subsystem.
team effort to find the right words..
|
|
On OpenBSD it's necessary to use the eopenssl11 s_server with either -4
or -6 to choose an address family. I often want to try something with an
OpenSSL server and then test the same thing with LibreSSL or vice versa.
Adding and removing -4s on top of editing the command is annoying and
distracting.
This commits teaches our s_server to ignore -4 and -6 and thus makes
commands that work with eopenssl11 more likely to work with openssl(1).
These options are deliberately undocumented and don't show up in help
listings.
ok bcook inoguchi jsing
|
|
|
|
ok schwarze@
|
|
|
|
requires (int) for a '*' modifier
ok millert
|
|
|
|
|
|
converted to M-Up. Do not give them the implied meta flag so they don't
match the M-Up entry in the output key tree. Fixes problem with vi
reported by jsing@.
|
|
|
|
length may include trailing spaces.
|
|
|
|
64-bit client flags.
|
|
|
