![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / usr.bin / ssh
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.407 / (download) - annotate - [select for diffs], Fri May 17 01:17:40 2024 UTC (2 hours, 56 minutes ago) by djm
Branch: MAIN
CVS Tags: HEAD
Changes since 1.406: +5 -5 lines
Diff to previous 1.406 (colored)
fix incorrect debug option name introduce in previous commit
Revision 1.406 / (download) - annotate - [select for diffs], Fri May 17 00:30:24 2024 UTC (3 hours, 43 minutes ago) by djm
Branch: MAIN
Changes since 1.405: +11 -96 lines
Diff to previous 1.405 (colored)
Start the process of splitting sshd into separate binaries. This step splits sshd into a listener and a session binary. More splits are planned. After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs. This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary. feedback/ok markus@ deraadt@ NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out.
Revision 1.405 / (download) - annotate - [select for diffs], Mon Mar 4 02:16:11 2024 UTC (2 months, 1 week ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.404: +110 -56 lines
Diff to previous 1.404 (colored)
Separate parsing of string array options from applying them to the active configuration. This fixes the config parser from erroneously rejecting cases like: AuthenticationMethods password Match User ivy AuthenticationMethods any bz3657 ok markus@
Revision 1.404 / (download) - annotate - [select for diffs], Tue Feb 20 04:10:03 2024 UTC (2 months, 3 weeks ago) by djm
Branch: MAIN
Changes since 1.403: +2 -2 lines
Diff to previous 1.403 (colored)
don't append a gratuitous space to the end of subsystem arguments; bz3667
Revision 1.403 / (download) - annotate - [select for diffs], Wed Oct 11 22:42:26 2023 UTC (7 months ago) by djm
Branch: MAIN
Changes since 1.402: +4 -36 lines
Diff to previous 1.402 (colored)
add ChannelTimeout support to the client, mirroring the same option in the server. ok markus@
Revision 1.402 / (download) - annotate - [select for diffs], Fri Sep 8 06:34:24 2023 UTC (8 months, 1 week ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.401: +7 -7 lines
Diff to previous 1.401 (colored)
fix sizeof(*ptr) instead sizeof(ptr) in realloc (pointer here is char**, so harmless); spotted in CID 416964
Revision 1.401 / (download) - annotate - [select for diffs], Wed Sep 6 23:35:35 2023 UTC (8 months, 1 week ago) by djm
Branch: MAIN
Changes since 1.400: +46 -2 lines
Diff to previous 1.400 (colored)
allow override of Sybsystem directives in sshd Match blocks
Revision 1.400 / (download) - annotate - [select for diffs], Wed Sep 6 23:26:37 2023 UTC (8 months, 1 week ago) by djm
Branch: MAIN
Changes since 1.399: +13 -5 lines
Diff to previous 1.399 (colored)
allocate the subsystems array as necessary and remove the fixed limit of subsystems. Saves a few kb of memory in the server and makes it more like the other options.
Revision 1.399 / (download) - annotate - [select for diffs], Wed Sep 6 23:23:53 2023 UTC (8 months, 1 week ago) by djm
Branch: MAIN
Changes since 1.398: +11 -13 lines
Diff to previous 1.398 (colored)
preserve quoting of Subsystem commands and arguments. This may change behaviour of exotic configurations, but the most common subsystem configuration (sftp-server) is unlikely to be affected.
Revision 1.398 / (download) - annotate - [select for diffs], Wed Sep 6 23:21:36 2023 UTC (8 months, 1 week ago) by djm
Branch: MAIN
Changes since 1.397: +15 -6 lines
Diff to previous 1.397 (colored)
downgrade duplicate Subsystem directives from being a fatal error to being a debug message to match behaviour with just about all other directives.
Revision 1.397 / (download) - annotate - [select for diffs], Tue Aug 29 02:50:10 2023 UTC (8 months, 2 weeks ago) by djm
Branch: MAIN
Changes since 1.396: +2 -2 lines
Diff to previous 1.396 (colored)
make PerSourceMaxStartups first-match-wins; ok dtucker@
Revision 1.396 / (download) - annotate - [select for diffs], Mon Jul 17 05:26:38 2023 UTC (10 months ago) by djm
Branch: MAIN
Changes since 1.395: +1 -2 lines
Diff to previous 1.395 (colored)
move other RCSIDs to before their respective license blocks too no code change
Revision 1.395 / (download) - annotate - [select for diffs], Wed Jun 21 05:10:26 2023 UTC (10 months, 3 weeks ago) by djm
Branch: MAIN
Changes since 1.394: +8 -2 lines
Diff to previous 1.394 (colored)
better validate CASignatureAlgorithms in ssh_config and sshd_config. Previously this directive would accept certificate algorithm names, but these were unusable in practice as OpenSSH does not support CA chains. part of bz3577; ok dtucker@
Revision 1.394 / (download) - annotate - [select for diffs], Mon Jun 5 13:24:36 2023 UTC (11 months, 1 week ago) by millert
Branch: MAIN
Changes since 1.393: +5 -4 lines
Diff to previous 1.393 (colored)
Store timeouts as int, not u_int as they are limited to INT_MAX. Fixes sign compare warnings systems with 32-bit time_t due to type promotion. OK djm@
Revision 1.393 / (download) - annotate - [select for diffs], Wed May 24 23:01:06 2023 UTC (11 months, 3 weeks ago) by djm
Branch: MAIN
Changes since 1.392: +2 -2 lines
Diff to previous 1.392 (colored)
fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand appears previously in configuration. Reported by John Meyers in bz3574 ok dtucker@
Revision 1.392 / (download) - annotate - [select for diffs], Sun Mar 5 05:34:09 2023 UTC (14 months, 1 week ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.391: +1 -2 lines
Diff to previous 1.391 (colored)
Remove unused compat.h includes. We've previously removed a lot of the really old compatibility code, and with it went the need to include compat.h in most of the files that have it.
Revision 1.391 / (download) - annotate - [select for diffs], Fri Mar 3 04:34:49 2023 UTC (14 months, 2 weeks ago) by djm
Branch: MAIN
Changes since 1.390: +11 -3 lines
Diff to previous 1.390 (colored)
actually print "channeltimeout none" in config dump mode; spotted via Coverity CID 405022
Revision 1.390 / (download) - annotate - [select for diffs], Tue Jan 17 09:44:48 2023 UTC (15 months, 4 weeks ago) by djm
Branch: MAIN
Changes since 1.389: +23 -2 lines
Diff to previous 1.389 (colored)
Add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for some length of time. This complements the recently-added ChannelTimeout option that terminates inactive channels after a timeout. ok markus@
Revision 1.389 / (download) - annotate - [select for diffs], Fri Jan 6 02:47:18 2023 UTC (16 months, 1 week ago) by djm
Branch: MAIN
Changes since 1.388: +100 -10 lines
Diff to previous 1.388 (colored)
Implement channel inactivity timeouts This adds a sshd_config ChannelTimeouts directive that allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. Note: this only affects channels over an opened SSH connection and not the connection itself. Most clients close the connection when their channels go away, with a notable exception being ssh(1) in multiplexing mode. ok markus dtucker
Revision 1.388 / (download) - annotate - [select for diffs], Mon Nov 7 10:05:39 2022 UTC (18 months, 1 week ago) by dtucker
Branch: MAIN
Changes since 1.387: +2 -3 lines
Diff to previous 1.387 (colored)
Remove some set but otherwise unused variables, spotted in -portable by clang 16's -Wunused-but-set-variable. ok djm@
Revision 1.387 / (download) - annotate - [select for diffs], Mon Nov 7 10:02:59 2022 UTC (18 months, 1 week ago) by dtucker
Branch: MAIN
Changes since 1.386: +5 -1 lines
Diff to previous 1.386 (colored)
Check for and disallow MaxStartups values less than or equal to zero during config parsing, rather than faling later at runtime. bz#3489, ok djm@
Revision 1.386 / (download) - annotate - [select for diffs], Sat Sep 17 10:34:29 2022 UTC (19 months, 4 weeks ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.385: +12 -1 lines
Diff to previous 1.385 (colored)
Add RequiredRSASize for sshd(8); RSA keys that fall beneath this limit will be ignored for user and host-based authentication. Feedback deraadt@ ok markus@
Revision 1.385 / (download) - annotate - [select for diffs], Fri Jun 3 04:30:47 2022 UTC (23 months, 2 weeks ago) by djm
Branch: MAIN
Changes since 1.384: +7 -1 lines
Diff to previous 1.384 (colored)
Make SetEnv directives first-match-wins in both sshd_config and sshd_config; previously if the same name was reused then the last would win (which is the opposite to how the config is supposed to work). While there, make the ssh_config parsing more like sshd_config. bz3438, ok dtucker
Revision 1.384 / (download) - annotate - [select for diffs], Fri Mar 18 04:04:11 2022 UTC (2 years, 2 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.383: +5 -4 lines
Diff to previous 1.383 (colored)
don't try to resolve ListenAddress directives in the sshd re-exec path - we're never going to use the result and if the operation fails then it can prevent connections from being accepted. Reported by Aaron Poffenberger; with / ok dtucker@
Revision 1.383 / (download) - annotate - [select for diffs], Tue Feb 8 08:59:12 2022 UTC (2 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.382: +9 -12 lines
Diff to previous 1.382 (colored)
Switch hpdelim interface to accept only ":" as delimiter. Historicallly, hpdelim accepted ":" or "/" as a port delimiter between hosts (or addresses) and ports. These days most of the uses for "/" are no longer accepted, so there are several places where it checks the delimiter to disallow it. Make hpdelim accept only ":" and use hpdelim2 in the other cases. ok djm@
Revision 1.382 / (download) - annotate - [select for diffs], Mon Sep 6 00:36:01 2021 UTC (2 years, 8 months ago) by millert
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.381: +3 -4 lines
Diff to previous 1.381 (colored)
revision 1.381 neglected to remove sChallengeResponseAuthentication from the enum. Noticed by christos@zoulas.com. OK dtucker@
Revision 1.381 / (download) - annotate - [select for diffs], Fri Jul 2 05:11:21 2021 UTC (2 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.380: +4 -13 lines
Diff to previous 1.380 (colored)
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it. Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
Revision 1.380 / (download) - annotate - [select for diffs], Tue Jun 8 07:09:42 2021 UTC (2 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.379: +332 -284 lines
Diff to previous 1.379 (colored)
switch sshd_config parsing to argv_split() similar to the previous commit, this switches sshd_config parsing to the newer tokeniser. Config parsing will be a little stricter wrt quote correctness and directives appearing without arguments. feedback and ok markus@ tested in snaps for the last five or so days - thanks Theo and those who caught bugs
Revision 1.379 / (download) - annotate - [select for diffs], Sat Apr 3 06:18:40 2021 UTC (3 years, 1 month ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.378: +7 -7 lines
Diff to previous 1.378 (colored)
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
Revision 1.378 / (download) - annotate - [select for diffs], Fri Mar 12 04:08:19 2021 UTC (3 years, 2 months ago) by dtucker
Branch: MAIN
Changes since 1.377: +10 -2 lines
Diff to previous 1.377 (colored)
Add ModuliFile keyword to sshd_config to specify the location of the "moduli" file containing the groups for DH-GEX. This will allow us to run tests against arbitrary moduli files without having to install them. ok djm@
Revision 1.377 / (download) - annotate - [select for diffs], Wed Feb 24 01:18:08 2021 UTC (3 years, 2 months ago) by dtucker
Branch: MAIN
Changes since 1.376: +3 -3 lines
Diff to previous 1.376 (colored)
Put obsolete aliases for hostbasedalgorithms and pubkeyacceptedalgorithms after their current names so that the config-dump mode finds and uses the current names. Spotted by Phil Pennock.
Revision 1.376 / (download) - annotate - [select for diffs], Mon Feb 15 20:36:35 2021 UTC (3 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.375: +15 -41 lines
Diff to previous 1.375 (colored)
factor out opt_array_append; ok djm@
Revision 1.375 / (download) - annotate - [select for diffs], Tue Jan 26 05:32:21 2021 UTC (3 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.374: +9 -8 lines
Diff to previous 1.374 (colored)
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
Revision 1.374 / (download) - annotate - [select for diffs], Fri Jan 22 02:44:58 2021 UTC (3 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.373: +13 -12 lines
Diff to previous 1.373 (colored)
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
Revision 1.373 / (download) - annotate - [select for diffs], Mon Jan 11 04:48:22 2021 UTC (3 years, 4 months ago) by dtucker
Branch: MAIN
Changes since 1.372: +2 -2 lines
Diff to previous 1.372 (colored)
Correct spelling of persourcenetblocksize in config-dump mode.
Revision 1.372 / (download) - annotate - [select for diffs], Sat Jan 9 12:10:02 2021 UTC (3 years, 4 months ago) by dtucker
Branch: MAIN
Changes since 1.371: +59 -2 lines
Diff to previous 1.371 (colored)
Add PerSourceMaxStartups and PerSourceNetBlockSize options which provide more fine grained MaxStartups limits. Man page help jmc@, feedback & ok djm@
Revision 1.371 / (download) - annotate - [select for diffs], Sun Oct 18 11:32:02 2020 UTC (3 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.370: +16 -18 lines
Diff to previous 1.370 (colored)
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
Revision 1.370 / (download) - annotate - [select for diffs], Fri Oct 16 13:26:13 2020 UTC (3 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.369: +17 -2 lines
Diff to previous 1.369 (colored)
LogVerbose keyword for ssh and sshd Allows forcing maximum debug logging by file/function/line pattern- lists. ok markus@
Revision 1.369 / (download) - annotate - [select for diffs], Fri Aug 28 03:15:52 2020 UTC (3 years, 8 months ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.368: +8 -1 lines
Diff to previous 1.368 (colored)
Check that the addresses supplied to Match Address and Match LocalAddress are valid when parsing in config-test mode. This will catch address/mask mismatches before they cause problems at runtime. Found by Daniel Stocker, ok djm@
Revision 1.368 / (download) - annotate - [select for diffs], Thu Aug 27 01:07:09 2020 UTC (3 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.367: +5 -1 lines
Diff to previous 1.367 (colored)
support for requiring user verified FIDO keys in sshd This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it. feedback and ok markus@
Revision 1.367 / (download) - annotate - [select for diffs], Sun Jul 5 23:59:45 2020 UTC (3 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.366: +11 -11 lines
Diff to previous 1.366 (colored)
some language improvements; ok markus
Revision 1.366 / (download) - annotate - [select for diffs], Wed Jun 24 15:09:53 2020 UTC (3 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.365: +7 -1 lines
Diff to previous 1.365 (colored)
support loading big sshd_config files w/o realloc; ok djm
Revision 1.365 / (download) - annotate - [select for diffs], Wed May 27 22:37:53 2020 UTC (3 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.364: +21 -10 lines
Diff to previous 1.364 (colored)
fix Include before Match in sshd_config; bz#3122 patch from Jakub Jelen
Revision 1.364 / (download) - annotate - [select for diffs], Wed May 27 21:59:11 2020 UTC (3 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.363: +5 -5 lines
Diff to previous 1.363 (colored)
Do not call process_queued_listen_addrs() for every included file from sshd_config; patch from Jakub Jelen
Revision 1.363 / (download) - annotate - [select for diffs], Fri Apr 17 03:30:05 2020 UTC (4 years, 1 month ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.362: +13 -4 lines
Diff to previous 1.362 (colored)
make IgnoreRhosts a tri-state option: "yes" ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. ok dtucker@
Revision 1.362 / (download) - annotate - [select for diffs], Fri Apr 17 03:23:13 2020 UTC (4 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.361: +3 -2 lines
Diff to previous 1.361 (colored)
allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks; bz3148, ok dtucker@
Revision 1.361 / (download) - annotate - [select for diffs], Fri Mar 6 18:29:54 2020 UTC (4 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.360: +2 -2 lines
Diff to previous 1.360 (colored)
fix relative includes in sshd_config; ok djm
Revision 1.360 / (download) - annotate - [select for diffs], Fri Jan 31 22:42:45 2020 UTC (4 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.359: +144 -19 lines
Diff to previous 1.359 (colored)
Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
Revision 1.359 / (download) - annotate - [select for diffs], Thu Jan 23 10:24:29 2020 UTC (4 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.358: +8 -1 lines
Diff to previous 1.358 (colored)
Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@
Revision 1.358 / (download) - annotate - [select for diffs], Thu Jan 23 02:46:49 2020 UTC (4 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.357: +27 -20 lines
Diff to previous 1.357 (colored)
Remove unsupported algorithms from list of defaults at run time and remove ifdef and distinct settings for OPENSSL=no case. This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@
Revision 1.357 / (download) - annotate - [select for diffs], Sun Dec 15 20:59:23 2019 UTC (4 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.356: +2 -1 lines
Diff to previous 1.356 (colored)
don't treat HostKeyAgent=none as a path either; avoids spurious warnings from the cfgparse regress test
Revision 1.356 / (download) - annotate - [select for diffs], Sun Dec 15 20:57:15 2019 UTC (4 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.355: +13 -2 lines
Diff to previous 1.355 (colored)
do not attempt to find an absolute path for sshd_config SecurityKeyProvider=internal - unbreaks cfgparse regress test
Revision 1.355 / (download) - annotate - [select for diffs], Sun Dec 15 18:57:30 2019 UTC (4 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.354: +14 -4 lines
Diff to previous 1.354 (colored)
allow security keys to act as host keys as well as user keys. Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk. ok markus@
Revision 1.354 / (download) - annotate - [select for diffs], Mon Nov 25 00:52:46 2019 UTC (4 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.353: +31 -2 lines
Diff to previous 1.353 (colored)
Add a sshd_config PubkeyAuthOptions directive This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key). ok markus@
Revision 1.353 / (download) - annotate - [select for diffs], Thu Oct 31 21:17:49 2019 UTC (4 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.352: +3 -3 lines
Diff to previous 1.352 (colored)
Separate myproposal.h userauth pubkey types U2F/FIDO keys are not supported for host authentication, so we need a separate list for user keys. feedback & ok markus@
Revision 1.352 / (download) - annotate - [select for diffs], Fri Sep 6 14:45:34 2019 UTC (4 years, 8 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.351: +9 -5 lines
Diff to previous 1.351 (colored)
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g. HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com ok djm@ dtucker@
Revision 1.351 / (download) - annotate - [select for diffs], Thu Apr 18 18:56:16 2019 UTC (5 years ago) by dtucker
Branch: MAIN
Changes since 1.350: +10 -8 lines
Diff to previous 1.350 (colored)
When running sshd -T, assume any attibute not provided by -C does not match, which allows it to work when sshd_config contains a Match directive with or without -C. bz#2858, ok djm@
Revision 1.350 / (download) - annotate - [select for diffs], Mon Mar 25 22:33:44 2019 UTC (5 years, 1 month ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.349: +1 -2 lines
Diff to previous 1.349 (colored)
whitespace
Revision 1.349 / (download) - annotate - [select for diffs], Wed Mar 6 22:14:23 2019 UTC (5 years, 2 months ago) by dtucker
Branch: MAIN
Changes since 1.348: +2 -2 lines
Diff to previous 1.348 (colored)
Move checks for lists of users or groups into their own function. This is a no-op on OpenBSD but will make things easier in -portable, eg on systems where these checks should be case-insensitive. ok djm@
Revision 1.348 / (download) - annotate - [select for diffs], Thu Jan 24 02:34:52 2019 UTC (5 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.347: +5 -5 lines
Diff to previous 1.347 (colored)
Always initialize 2nd arg to hpdelim2. It populates that *ONLY IF* there's a delimiter. If there's not (the common case) it checked uninitialized memory, which usually passed, but if not would cause spurious failures when the uninitialized memory happens to contain "/". ok deraadt.
Revision 1.347 / (download) - annotate - [select for diffs], Wed Jan 23 21:50:56 2019 UTC (5 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.346: +12 -8 lines
Diff to previous 1.346 (colored)
Remove support for obsolete host/port syntax. host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH now supports for some things. Remove the slash notation from ListenAddress and PermitOpen. bz#2335, patch from jjelen at redhat.com, ok markus@
Revision 1.346 / (download) - annotate - [select for diffs], Sat Jan 19 21:37:48 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.345: +3 -7 lines
Diff to previous 1.345 (colored)
convert servconf.c to new packet API with & ok markus@
Revision 1.345 / (download) - annotate - [select for diffs], Sat Jan 19 21:31:32 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.344: +4 -1 lines
Diff to previous 1.344 (colored)
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago. This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps. with & ok markus@
Revision 1.344 / (download) - annotate - [select for diffs], Mon Nov 19 04:12:32 2018 UTC (5 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.343: +28 -12 lines
Diff to previous 1.343 (colored)
silence (to log level debug2) failure messages when loading the default hostkeys. Hostkeys explicitly specified in the configuration or on the command-line are still reported as errors, and failure to load at least one host key remains a fatal error. Based on patch from Dag-Erling Smørgrav via https://github.com/openssh/openssh-portable/pull/103 ok markus@
Revision 1.343 / (download) - annotate - [select for diffs], Fri Nov 16 03:26:01 2018 UTC (5 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.342: +2 -2 lines
Diff to previous 1.342 (colored)
use path_absolute() for pathname checks; from Manoj Ampalam
Revision 1.342 / (download) - annotate - [select for diffs], Thu Sep 20 23:40:16 2018 UTC (5 years, 7 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.341: +2 -1 lines
Diff to previous 1.341 (colored)
actually make CASignatureAlgorithms available as a config option
Revision 1.341 / (download) - annotate - [select for diffs], Thu Sep 20 03:28:06 2018 UTC (5 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.340: +13 -3 lines
Diff to previous 1.340 (colored)
Add sshd_config CASignatureAlgorithms option to allow control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@
Revision 1.340 / (download) - annotate - [select for diffs], Sun Aug 12 20:19:13 2018 UTC (5 years, 9 months ago) by djm
Branch: MAIN
Changes since 1.339: +14 -14 lines
Diff to previous 1.339 (colored)
better diagnosics on alg list assembly errors; ok deraadt@ markus@
Revision 1.339 / (download) - annotate - [select for diffs], Wed Jul 11 18:53:29 2018 UTC (5 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.338: +2 -2 lines
Diff to previous 1.338 (colored)
remove legacy key emulation layer; ok djm@
Revision 1.338 / (download) - annotate - [select for diffs], Mon Jul 9 21:29:36 2018 UTC (5 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.337: +16 -14 lines
Diff to previous 1.337 (colored)
sshd: switch config to sshbuf API; ok djm@
Revision 1.337 / (download) - annotate - [select for diffs], Mon Jul 9 13:37:10 2018 UTC (5 years, 10 months ago) by sf
Branch: MAIN
Changes since 1.336: +4 -4 lines
Diff to previous 1.336 (colored)
Revert previous two commits It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits: date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB Only delayed compression is supported nowadays. ok markus@ date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit. ok markus@
Revision 1.336 / (download) - annotate - [select for diffs], Fri Jul 6 09:06:14 2018 UTC (5 years, 10 months ago) by sf
Branch: MAIN
Changes since 1.335: +4 -4 lines
Diff to previous 1.335 (colored)
Rename COMP_DELAYED to COMP_ZLIB Only delayed compression is supported nowadays. ok markus@
Revision 1.335 / (download) - annotate - [select for diffs], Wed Jul 4 13:49:31 2018 UTC (5 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.334: +23 -9 lines
Diff to previous 1.334 (colored)
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard. Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected. Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation. (lots of) feedback, ok markus@
Revision 1.334 / (download) - annotate - [select for diffs], Tue Jul 3 10:59:35 2018 UTC (5 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.333: +36 -4 lines
Diff to previous 1.333 (colored)
allow sshd_config PermitUserEnvironment to accept a pattern-list of whitelisted environment variable names in addition to yes|no. bz#1800, feedback and ok markus@
Revision 1.333 / (download) - annotate - [select for diffs], Tue Jun 19 02:59:41 2018 UTC (5 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.332: +17 -9 lines
Diff to previous 1.332 (colored)
allow bare port numbers to appear in PermitListen directives, e.g. PermitListen 2222 8080 is equivalent to: PermitListen *:2222 *:8080 Some bonus manpage improvements, mostly from markus@ "looks fine" markus@
Revision 1.332 / (download) - annotate - [select for diffs], Sat Jun 9 03:03:10 2018 UTC (5 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.331: +18 -2 lines
Diff to previous 1.331 (colored)
add a SetEnv directive for sshd_config to allow an administrator to explicitly specify environment variables set in sessions started by sshd. These override the default environment and any variables set by user configuration (PermitUserEnvironment, etc), but not the SSH_* variables set by sshd itself. ok markus@
Revision 1.331 / (download) - annotate - [select for diffs], Wed Jun 6 18:29:18 2018 UTC (5 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.330: +5 -5 lines
Diff to previous 1.330 (colored)
switch config file parsing to getline(3) as this avoids static limits noted by gerhard@; ok dtucker@, djm@
Revision 1.330 / (download) - annotate - [select for diffs], Wed Jun 6 18:23:32 2018 UTC (5 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.329: +16 -16 lines
Diff to previous 1.329 (colored)
permitlisten option for authorized_keys; ok markus@
Revision 1.329 / (download) - annotate - [select for diffs], Wed Jun 6 18:22:41 2018 UTC (5 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.328: +90 -48 lines
Diff to previous 1.328 (colored)
Add a PermitListen directive to control which server-side addresses may be listened on when the client requests remote forwarding (ssh -R). This is the converse of the existing PermitOpen directive and this includes some refactoring to share much of its implementation. feedback and ok markus@
Revision 1.328 / (download) - annotate - [select for diffs], Tue Apr 10 00:10:49 2018 UTC (6 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.327: +3 -3 lines
Diff to previous 1.327 (colored)
lots of typos in comments/docs. Patch from Karsten Weiss after checking with codespell tool (https://github.com/lucasdemarchi/codespell)
Revision 1.327 / (download) - annotate - [select for diffs], Wed Apr 4 15:12:17 2018 UTC (6 years, 1 month ago) by job
Branch: MAIN
Changes since 1.326: +3 -3 lines
Diff to previous 1.326 (colored)
Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for interactive and CS1 for bulk
AF21 was selected as this is the highest priority within the low-latency
service class (and it is higher than what we have today). SSH is elastic
and time-sensitive data, where a user is waiting for a response via the
network in order to continue with a task at hand. As such, these flows
should be considered foreground traffic, with delays or drops to such
traffic directly impacting user-productivity.
For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable
networks implementing a scavanger/lower-than-best effort class to
discriminate scp(1) below normal activities, such as web surfing. In
general this type of bulk SSH traffic is a background activity.
An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH
is that they are recognisable values on all common platforms (IANA
https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and
for AF21 specifically a definition of the intended behavior exists
https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition
of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and
for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662
The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE
802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate",
or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e,
MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK").
OK deraadt@, "no objection" djm@
Revision 1.326 / (download) - annotate - [select for diffs], Thu Mar 1 20:32:16 2018 UTC (6 years, 2 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.325: +3 -1 lines
Diff to previous 1.325 (colored)
missing #ifdef for _PATH_HOST_XMSS_KEY_FILE; report by jmc@
Revision 1.325 / (download) - annotate - [select for diffs], Fri Feb 23 15:58:37 2018 UTC (6 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.324: +3 -1 lines
Diff to previous 1.324 (colored)
Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@
Revision 1.324 / (download) - annotate - [select for diffs], Fri Feb 16 02:32:40 2018 UTC (6 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.323: +1 -3 lines
Diff to previous 1.323 (colored)
stop loading DSA keys by default, remove sshd_config stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@
Revision 1.323 / (download) - annotate - [select for diffs], Fri Feb 9 02:37:36 2018 UTC (6 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.322: +2 -3 lines
Diff to previous 1.322 (colored)
Remove unused sKerberosTgtPassing from enum. From calestyo via github pull req #11, ok djm@
Revision 1.322 / (download) - annotate - [select for diffs], Tue Dec 5 23:59:47 2017 UTC (6 years, 5 months ago) by dtucker
Branch: MAIN
Changes since 1.321: +5 -5 lines
Diff to previous 1.321 (colored)
Replace atoi and strtol conversions for integer arguments to config keywords with a checking wrapper around strtonum. This will prevent and flag invalid and negative arguments to these keywords. ok djm@
Revision 1.321 / (download) - annotate - [select for diffs], Tue Dec 5 23:56:07 2017 UTC (6 years, 5 months ago) by dtucker
Branch: MAIN
Changes since 1.320: +2 -1 lines
Diff to previous 1.320 (colored)
Add missing break for rdomain. Prevents spurious "Deprecated option" warnings. ok djm@
Revision 1.320 / (download) - annotate - [select for diffs], Fri Nov 3 05:18:44 2017 UTC (6 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.319: +8 -16 lines
Diff to previous 1.319 (colored)
reuse parse_multistate for parse_flag (yes/no arguments). Saves a few lines of code and makes the parser more consistent wrt case- sensitivity. bz#2664 ok dtucker@
Revision 1.319 / (download) - annotate - [select for diffs], Fri Nov 3 03:18:53 2017 UTC (6 years, 6 months ago) by dtucker
Branch: MAIN
Changes since 1.318: +27 -20 lines
Diff to previous 1.318 (colored)
When doing a config test with sshd -T, only require the attributes that are actually used in Match criteria rather than (an incomplete list of) all criteria. ok djm@, man page help jmc@
Revision 1.318 / (download) - annotate - [select for diffs], Wed Oct 25 02:10:39 2017 UTC (6 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.317: +4 -2 lines
Diff to previous 1.317 (colored)
uninitialised variable in PermitTunnel printing code
Revision 1.317 / (download) - annotate - [select for diffs], Wed Oct 25 00:19:47 2017 UTC (6 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.316: +14 -1 lines
Diff to previous 1.316 (colored)
add a "rdomain" criteria for the sshd_config Match keyword to allow conditional configuration that depends on which rdomain(4) a connection was recevied on. ok markus@
Revision 1.316 / (download) - annotate - [select for diffs], Wed Oct 25 00:17:08 2017 UTC (6 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.315: +19 -2 lines
Diff to previous 1.315 (colored)
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4) ok markus@
Revision 1.315 / (download) - annotate - [select for diffs], Wed Oct 25 00:15:35 2017 UTC (6 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.314: +158 -67 lines
Diff to previous 1.314 (colored)
Add optional rdomain qualifier to sshd_config's ListenAddress option to allow listening on a different rdomain(4), e.g. ListenAddress 0.0.0.0 rdomain 4
Revision 1.312.2.1 / (download) - annotate - [select for diffs], Fri Oct 13 03:25:16 2017 UTC (6 years, 7 months ago) by djm
Branch: OPENBSD_6_2
Changes since 1.312: +4 -4 lines
Diff to previous 1.312 (colored) next main 1.313 (colored)
MFC: revision 1.313 date: 2017/10/04 18:49:30; author: djm; state: Exp; lines: +4 -4; commitid: FQf3mxZmjBcd8ygd; fix (another) problem in PermitOpen introduced during the channels.c refactor: the third and subsequent arguments to PermitOpen were being silently ignored; ok markus@
Revision 1.314 / (download) - annotate - [select for diffs], Thu Oct 5 15:52:03 2017 UTC (6 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.313: +115 -95 lines
Diff to previous 1.313 (colored)
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
Revision 1.313 / (download) - annotate - [select for diffs], Wed Oct 4 18:49:30 2017 UTC (6 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.312: +4 -4 lines
Diff to previous 1.312 (colored)
fix (another) problem in PermitOpen introduced during the channels.c refactor: the third and subsequent arguments to PermitOpen were being silently ignored; ok markus@
Revision 1.312 / (download) - annotate - [select for diffs], Mon Oct 2 19:33:20 2017 UTC (6 years, 7 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE
Branch point for: OPENBSD_6_2
Changes since 1.311: +9 -1 lines
Diff to previous 1.311 (colored)
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
Revision 1.311 / (download) - annotate - [select for diffs], Mon Sep 18 09:41:52 2017 UTC (6 years, 7 months ago) by dtucker
Branch: MAIN
Changes since 1.310: +3 -2 lines
Diff to previous 1.310 (colored)
Add braces missing after channels refactor. ok markus@
Revision 1.310 / (download) - annotate - [select for diffs], Tue Sep 12 06:32:07 2017 UTC (6 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.309: +66 -21 lines
Diff to previous 1.309 (colored)
refactor channels.c Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh. Explicitly pass "struct ssh" to all channels functions. Replace use of the legacy packet APIs in channels.c. Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later. ok markus@
Revision 1.309 / (download) - annotate - [select for diffs], Sat Jun 24 06:34:38 2017 UTC (6 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.308: +12 -1 lines
Diff to previous 1.308 (colored)
refactor authentication logging optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@
Revision 1.308 / (download) - annotate - [select for diffs], Wed May 17 01:24:17 2017 UTC (7 years ago) by djm
Branch: MAIN
Changes since 1.307: +4 -3 lines
Diff to previous 1.307 (colored)
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
Revision 1.307 / (download) - annotate - [select for diffs], Thu Apr 27 13:40:05 2017 UTC (7 years ago) by jsg
Branch: MAIN
Changes since 1.306: +1 -8 lines
Diff to previous 1.306 (colored)
remove a static array unused since rev 1.306 spotted by clang ok djm@
Revision 1.306 / (download) - annotate - [select for diffs], Tue Mar 14 07:19:07 2017 UTC (7 years, 2 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.305: +2 -10 lines
Diff to previous 1.305 (colored)
Mark the sshd_config UsePrivilegeSeparation option as deprecated, effectively making privsep mandatory in sandboxing mode. ok markus@ deraadt@ (note: this doesn't remove the !privsep code paths, though that will happen eventually).
Revision 1.305 / (download) - annotate - [select for diffs], Fri Mar 10 04:11:00 2017 UTC (7 years, 2 months ago) by dtucker
Branch: MAIN
Changes since 1.304: +1 -3 lines
Diff to previous 1.304 (colored)
Remove old null check from config dumper. Patch from jjelen at redhat.com vi bz#2687, ok djm@
Revision 1.304 / (download) - annotate - [select for diffs], Fri Feb 3 23:01:19 2017 UTC (7 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.303: +7 -5 lines
Diff to previous 1.303 (colored)
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
Revision 1.303 / (download) - annotate - [select for diffs], Fri Feb 3 05:05:56 2017 UTC (7 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.302: +10 -1 lines
Diff to previous 1.302 (colored)
allow form-feed characters at EOL; bz#2431 ok dtucker@
Revision 1.302 / (download) - annotate - [select for diffs], Fri Jan 6 03:45:41 2017 UTC (7 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.301: +2 -2 lines
Diff to previous 1.301 (colored)
sshd_config is documented to set GSSAPIStrictAcceptorCheck=yes by default, so actually make it do this. bz#2637 ok dtucker
Revision 1.301 / (download) - annotate - [select for diffs], Wed Nov 30 03:00:05 2016 UTC (7 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.300: +12 -2 lines
Diff to previous 1.300 (colored)
Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@
Revision 1.300 / (download) - annotate - [select for diffs], Wed Nov 23 23:14:15 2016 UTC (7 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.299: +5 -3 lines
Diff to previous 1.299 (colored)
allow ClientAlive{Interval,CountMax} in Match; ok dtucker, djm
Revision 1.299 / (download) - annotate - [select for diffs], Sun Nov 6 05:46:37 2016 UTC (7 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.298: +7 -1 lines
Diff to previous 1.298 (colored)
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match. Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
Revision 1.298 / (download) - annotate - [select for diffs], Mon Oct 24 01:09:17 2016 UTC (7 years, 6 months ago) by dtucker
Branch: MAIN
Changes since 1.297: +1 -2 lines
Diff to previous 1.297 (colored)
Remove dead breaks, found via opencoverage.net. ok deraadt@
Revision 1.297 / (download) - annotate - [select for diffs], Wed Sep 28 20:32:42 2016 UTC (7 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.296: +2 -2 lines
Diff to previous 1.296 (colored)
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only. remove a few server-side pre-auth compression bits that escaped adjust wording of Compression directive in sshd_config(5) pointed out by naddy@ ok markus@
Revision 1.296 / (download) - annotate - [select for diffs], Wed Sep 28 16:33:07 2016 UTC (7 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.295: +2 -2 lines
Diff to previous 1.295 (colored)
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger. Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@ NB. pre-auth authentication has been disabled by default in sshd for >10 years.
Revision 1.295 / (download) - annotate - [select for diffs], Thu Aug 25 23:57:54 2016 UTC (7 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.294: +9 -12 lines
Diff to previous 1.294 (colored)
add a sIgnore opcode that silently ignores options and use it to suppress noisy deprecation warnings for the Protocol directive. req henning, ok markus
Revision 1.294 / (download) - annotate - [select for diffs], Fri Aug 19 03:18:06 2016 UTC (7 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.293: +3 -11 lines
Diff to previous 1.293 (colored)
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
Revision 1.293 / (download) - annotate - [select for diffs], Mon Aug 15 12:27:56 2016 UTC (7 years, 9 months ago) by naddy
Branch: MAIN
Changes since 1.292: +27 -94 lines
Diff to previous 1.292 (colored)
Remove more SSH1 server code: * Drop sshd's -k option. * Retire configuration keywords that only apply to protocol 1, as well as the "protocol" keyword. * Remove some related vestiges of protocol 1 support. ok markus@
Revision 1.292 / (download) - annotate - [select for diffs], Thu Jun 23 05:17:51 2016 UTC (7 years, 10 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.291: +4 -2 lines
Diff to previous 1.291 (colored)
fix AuthenticationMethods during configuration re-parse; reported by Juan Francisco Cantero Hurtado
Revision 1.291 / (download) - annotate - [select for diffs], Fri Jun 17 05:03:40 2016 UTC (7 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.290: +32 -3 lines
Diff to previous 1.290 (colored)
ban AuthenticationMethods="" and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication bz#2398 from Jakub Jelen; ok dtucker@
Revision 1.290 / (download) - annotate - [select for diffs], Wed May 4 14:00:09 2016 UTC (8 years ago) by dtucker
Branch: MAIN
Changes since 1.289: +2 -2 lines
Diff to previous 1.289 (colored)
Fix inverted logic for updating StreamLocalBindMask which would cause the server to set an invalid mask. ok djm@
Revision 1.289 / (download) - annotate - [select for diffs], Tue May 3 15:57:39 2016 UTC (8 years ago) by djm
Branch: MAIN
Changes since 1.288: +12 -1 lines
Diff to previous 1.288 (colored)
fix overriding of StreamLocalBindMask and StreamLocalBindUnlink in Match blocks; found the hard way Rogan Dawes
Revision 1.288 / (download) - annotate - [select for diffs], Tue May 3 15:25:06 2016 UTC (8 years ago) by djm
Branch: MAIN
Changes since 1.287: +2 -1 lines
Diff to previous 1.287 (colored)
don't forget to include StreamLocalBindUnlink in the config dump output
Revision 1.287 / (download) - annotate - [select for diffs], Mon May 2 08:49:03 2016 UTC (8 years ago) by djm
Branch: MAIN
Changes since 1.286: +3 -2 lines
Diff to previous 1.286 (colored)
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
Revision 1.286 / (download) - annotate - [select for diffs], Mon Mar 7 19:02:43 2016 UTC (8 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.285: +6 -5 lines
Diff to previous 1.285 (colored)
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c feedback and ok markus@
Revision 1.285 / (download) - annotate - [select for diffs], Wed Feb 17 05:29:04 2016 UTC (8 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.284: +3 -3 lines
Diff to previous 1.284 (colored)
make sandboxed privilege separation the default, not just for new installs; "absolutely" deraadt@
Revision 1.284 / (download) - annotate - [select for diffs], Fri Jan 29 02:54:45 2016 UTC (8 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.283: +3 -7 lines
Diff to previous 1.283 (colored)
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm.
Revision 1.283 / (download) - annotate - [select for diffs], Fri Nov 13 04:38:06 2015 UTC (8 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.282: +12 -1 lines
Diff to previous 1.282 (colored)
Support "none" as an argument for sshd_config ForceCommand and ChrootDirectory. Useful inside Match blocks to override a global default. bz#2486 ok dtucker@
Revision 1.282 / (download) - annotate - [select for diffs], Thu Oct 29 08:05:01 2015 UTC (8 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.281: +19 -11 lines
Diff to previous 1.281 (colored)
Fix "PubkeyAcceptedKeyTypes +..." inside a Match block; ok dtucker@
Revision 1.281 / (download) - annotate - [select for diffs], Fri Aug 21 23:52:30 2015 UTC (8 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.280: +3 -3 lines
Diff to previous 1.280 (colored)
Fix expansion of HostkeyAlgorithms=+... Reported by Bryan Drewery
Revision 1.280 / (download) - annotate - [select for diffs], Thu Aug 6 14:53:21 2015 UTC (8 years, 9 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.279: +2 -1 lines
Diff to previous 1.279 (colored)
add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
Revision 1.279 / (download) - annotate - [select for diffs], Fri Jul 31 15:38:09 2015 UTC (8 years, 9 months ago) by chris
Branch: MAIN
Changes since 1.278: +3 -3 lines
Diff to previous 1.278 (colored)
Allow PermitRootLogin to be overridden by config ok markus@ deeradt@
Revision 1.278 / (download) - annotate - [select for diffs], Thu Jul 30 19:23:02 2015 UTC (8 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.277: +2 -2 lines
Diff to previous 1.277 (colored)
change default: PermitRootLogin without-password matching install script changes coming as well ok djm markus
Revision 1.277 / (download) - annotate - [select for diffs], Thu Jul 30 00:01:34 2015 UTC (8 years, 9 months ago) by djm
Branch: MAIN
Changes since 1.276: +15 -9 lines
Diff to previous 1.276 (colored)
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it. approach suggested by dtucker@, feedback dlg@, ok markus@
Revision 1.276 / (download) - annotate - [select for diffs], Fri Jul 10 06:21:53 2015 UTC (8 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.275: +14 -3 lines
Diff to previous 1.275 (colored)
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
Revision 1.275 / (download) - annotate - [select for diffs], Wed Jul 1 02:39:06 2015 UTC (8 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.274: +2 -2 lines
Diff to previous 1.274 (colored)
twiddle PermitRootLogin back
Revision 1.274 / (download) - annotate - [select for diffs], Wed Jul 1 02:32:17 2015 UTC (8 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.273: +2 -2 lines
Diff to previous 1.273 (colored)
twiddle; (this commit marks the openssh-6.9 release)
Revision 1.273 / (download) - annotate - [select for diffs], Wed Jul 1 01:56:13 2015 UTC (8 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.272: +2 -2 lines
Diff to previous 1.272 (colored)
put back default PermitRootLogin=no
Revision 1.272 / (download) - annotate - [select for diffs], Wed Jul 1 01:55:00 2015 UTC (8 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.271: +2 -2 lines
Diff to previous 1.271 (colored)
reset default PermitRootLogin to 'yes' (momentarily, for release)
Revision 1.271 / (download) - annotate - [select for diffs], Fri May 22 03:50:02 2015 UTC (8 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.270: +12 -2 lines
Diff to previous 1.270 (colored)
add knob to relax GSSAPI host credential check for multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker (kerberos/GSSAPI is not compiled by default on OpenBSD)
Revision 1.270 / (download) - annotate - [select for diffs], Thu May 21 06:43:30 2015 UTC (8 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.269: +36 -1 lines
Diff to previous 1.269 (colored)
add AuthorizedPrincipalsCommand that allows getting authorized_principals from a subprocess rather than a file, which is quite useful in deployments with large userbases feedback and ok markus@
Revision 1.269 / (download) - annotate - [select for diffs], Mon May 4 06:10:48 2015 UTC (9 years ago) by djm
Branch: MAIN
Changes since 1.268: +3 -5 lines
Diff to previous 1.268 (colored)
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern). Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools. ok markus@
Revision 1.268 / (download) - annotate - [select for diffs], Fri May 1 07:08:08 2015 UTC (9 years ago) by djm
Branch: MAIN
Changes since 1.267: +10 -7 lines
Diff to previous 1.267 (colored)
a couple of parse targets were missing activep checks, causing them to be misapplied in match context; bz#2272 diagnosis and original patch from Sami Hartikainen ok dtucker@
Revision 1.267 / (download) - annotate - [select for diffs], Fri May 1 04:17:51 2015 UTC (9 years ago) by djm
Branch: MAIN
Changes since 1.266: +2 -1 lines
Diff to previous 1.266 (colored)
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
Revision 1.266 / (download) - annotate - [select for diffs], Wed Apr 29 03:48:56 2015 UTC (9 years ago) by dtucker
Branch: MAIN
Changes since 1.265: +53 -13 lines
Diff to previous 1.265 (colored)
Allow ListenAddress, Port and AddressFamily in any order. bz#68, ok djm@, jmc@ (for the man page bit).
Revision 1.265 / (download) - annotate - [select for diffs], Mon Apr 27 21:42:48 2015 UTC (9 years ago) by djm
Branch: MAIN
Changes since 1.264: +2 -2 lines
Diff to previous 1.264 (colored)
Make sshd default to PermitRootLogin=no; ok deraadt@ rpe@
Revision 1.264 / (download) - annotate - [select for diffs], Fri Apr 24 01:36:00 2015 UTC (9 years ago) by deraadt
Branch: MAIN
Changes since 1.263: +2 -2 lines
Diff to previous 1.263 (colored)
rename xrealloc() to xreallocarray() since it follows that form. ok djm
Revision 1.263 / (download) - annotate - [select for diffs], Thu Apr 23 04:59:10 2015 UTC (9 years ago) by dtucker
Branch: MAIN
Changes since 1.262: +22 -5 lines
Diff to previous 1.262 (colored)
Two small fixes for sshd -T: ListenAddress'es are added to a list head so reverse the order when printing them to ensure the behaviour remains the same, and print StreamLocalBindMask as octal with leading zero. ok deraadt@
Revision 1.262 / (download) - annotate - [select for diffs], Thu Apr 23 04:53:53 2015 UTC (9 years ago) by dtucker
Branch: MAIN
Changes since 1.261: +3 -3 lines
Diff to previous 1.261 (colored)
Check for and reject missing arguments for VersionAddendum and ForceCommand. bz#2281, patch from plautrba at redhat com, ok djm@
Revision 1.261 / (download) - annotate - [select for diffs], Fri Apr 17 04:12:35 2015 UTC (9 years, 1 month ago) by dtucker
Branch: MAIN
Changes since 1.260: +8 -3 lines
Diff to previous 1.260 (colored)
Add some missing options to sshd -T and fix the output of VersionAddendum HostCertificate. bz#2346, patch from jjelen at redhat com, ok djm.
Revision 1.260 / (download) - annotate - [select for diffs], Mon Feb 2 01:57:44 2015 UTC (9 years, 3 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.259: +2 -2 lines
Diff to previous 1.259 (colored)
increasing encounters with difficult DNS setups in darknets has convinced me UseDNS off by default is better ok djm
Revision 1.259 / (download) - annotate - [select for diffs], Fri Jan 16 06:40:12 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.258: +3 -2 lines
Diff to previous 1.258 (colored)
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
Revision 1.258 / (download) - annotate - [select for diffs], Tue Jan 13 07:39:19 2015 UTC (9 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.257: +37 -7 lines
Diff to previous 1.257 (colored)
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
Revision 1.257 / (download) - annotate - [select for diffs], Mon Dec 22 07:55:51 2014 UTC (9 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.256: +34 -4 lines
Diff to previous 1.256 (colored)
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised. Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
Revision 1.256 / (download) - annotate - [select for diffs], Sun Dec 21 22:27:56 2014 UTC (9 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.255: +22 -2 lines
Diff to previous 1.255 (colored)
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
Revision 1.255 / (download) - annotate - [select for diffs], Mon Nov 24 03:39:22 2014 UTC (9 years, 5 months ago) by jsg
Branch: MAIN
Changes since 1.254: +7 -1 lines
Diff to previous 1.254 (colored)
Fix crashes in the handling of the sshd config file found with the afl fuzzer. ok deraadt@ djm@
Revision 1.254 / (download) - annotate - [select for diffs], Fri Oct 24 02:01:20 2014 UTC (9 years, 6 months ago) by lteo
Branch: MAIN
Changes since 1.253: +1 -2 lines
Diff to previous 1.253 (colored)
Remove unnecessary include: netinet/in_systm.h is not needed by these programs. ok deraadt@ millert@
Revision 1.253 / (download) - annotate - [select for diffs], Mon Oct 13 00:38:35 2014 UTC (9 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.252: +2 -2 lines
Diff to previous 1.252 (colored)
whitespace
Revision 1.252 / (download) - annotate - [select for diffs], Tue Aug 19 23:58:28 2014 UTC (9 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.251: +6 -6 lines
Diff to previous 1.251 (colored)
When dumping the server configuration (sshd -T), print correct KEX, MAC and cipher defaults. Spotted by Iain Morgan
Revision 1.251 / (download) - annotate - [select for diffs], Tue Jul 15 15:54:14 2014 UTC (9 years, 10 months ago) by millert
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.250: +47 -8 lines
Diff to previous 1.250 (colored)
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
Revision 1.250 / (download) - annotate - [select for diffs], Thu Jul 3 22:40:43 2014 UTC (9 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.249: +12 -2 lines
Diff to previous 1.249 (colored)
Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option; bz#2160; ok markus@
Revision 1.249 / (download) - annotate - [select for diffs], Wed Jan 29 06:18:35 2014 UTC (10 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.248: +2 -19 lines
Diff to previous 1.248 (colored)
remove experimental, never-enabled JPAKE code; ok markus@
Revision 1.248 / (download) - annotate - [select for diffs], Fri Dec 6 13:39:49 2013 UTC (10 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.247: +3 -1 lines
Diff to previous 1.247 (colored)
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
Revision 1.247 / (download) - annotate - [select for diffs], Thu Dec 5 01:16:41 2013 UTC (10 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.246: +20 -21 lines
Diff to previous 1.246 (colored)
bz#2161 - fix AuthorizedKeysCommand inside a Match block and rearrange things so the same error is harder to make next time; with and ok dtucker@
Revision 1.246 / (download) - annotate - [select for diffs], Thu Nov 21 00:45:44 2013 UTC (10 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.245: +2 -2 lines
Diff to previous 1.245 (colored)
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file. Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
Revision 1.245 / (download) - annotate - [select for diffs], Thu Nov 7 11:58:27 2013 UTC (10 years, 6 months ago) by dtucker
Branch: MAIN
Changes since 1.244: +6 -3 lines
Diff to previous 1.244 (colored)
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
Revision 1.244 / (download) - annotate - [select for diffs], Tue Oct 29 09:48:02 2013 UTC (10 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.243: +12 -2 lines
Diff to previous 1.243 (colored)
shd_config PermitTTY to disallow TTY allocation, mirroring the longstanding no-pty authorized_keys option; bz#2070, patch from Teran McKinney; ok markus@
Revision 1.243 / (download) - annotate - [select for diffs], Thu Oct 24 00:51:48 2013 UTC (10 years, 6 months ago) by dtucker
Branch: MAIN
Changes since 1.242: +17 -2 lines
Diff to previous 1.242 (colored)
Disallow empty Match statements and add "Match all" which matches everything. ok djm, man page help jmc@
Revision 1.242 / (download) - annotate - [select for diffs], Wed Oct 23 05:40:58 2013 UTC (10 years, 6 months ago) by dtucker
Branch: MAIN
Changes since 1.241: +2 -2 lines
Diff to previous 1.241 (colored)
fix comment
Revision 1.241 / (download) - annotate - [select for diffs], Tue Aug 6 23:06:01 2013 UTC (10 years, 9 months ago) by djm
Branch: MAIN
Changes since 1.240: +3 -2 lines
Diff to previous 1.240 (colored)
add cast to avoid format warning; from portable
Revision 1.240 / (download) - annotate - [select for diffs], Fri Jul 19 07:37:48 2013 UTC (10 years, 10 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.239: +16 -2 lines
Diff to previous 1.239 (colored)
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
Revision 1.239 / (download) - annotate - [select for diffs], Fri May 17 00:13:14 2013 UTC (11 years ago) by djm
Branch: MAIN
Changes since 1.238: +4 -5 lines
Diff to previous 1.238 (colored)
bye, bye xfree(); ok markus@
Revision 1.238 / (download) - annotate - [select for diffs], Thu May 16 10:44:06 2013 UTC (11 years ago) by dtucker
Branch: MAIN
Changes since 1.237: +2 -2 lines
Diff to previous 1.237 (colored)
remove another now-unused variable
Revision 1.237 / (download) - annotate - [select for diffs], Thu May 16 10:43:34 2013 UTC (11 years ago) by dtucker
Branch: MAIN
Changes since 1.236: +3 -3 lines
Diff to previous 1.236 (colored)
remove now-unused variables
Revision 1.236 / (download) - annotate - [select for diffs], Thu May 16 09:12:31 2013 UTC (11 years ago) by dtucker
Branch: MAIN
Changes since 1.235: +7 -28 lines
Diff to previous 1.235 (colored)
switch RekeyLimit traffic volume parsing to scan_scaled. ok djm@
Revision 1.235 / (download) - annotate - [select for diffs], Thu May 16 04:09:14 2013 UTC (11 years ago) by dtucker
Branch: MAIN
Changes since 1.234: +70 -5 lines
Diff to previous 1.234 (colored)
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
Revision 1.234 / (download) - annotate - [select for diffs], Wed Feb 6 00:20:42 2013 UTC (11 years, 3 months ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.233: +4 -4 lines
Diff to previous 1.233 (colored)
Change default of MaxStartups to 10:30:100 to start doing random early drop at 10 connections up to 100 connections. This will make it harder to DoS as CPUs have come a long way since the original value was set back in 2000. Prompted by nion at debian org, ok markus@
Revision 1.233 / (download) - annotate - [select for diffs], Sun Dec 2 20:46:11 2012 UTC (11 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.232: +14 -4 lines
Diff to previous 1.232 (colored)
make AllowTcpForwarding accept "local" and "remote" in addition to its current "yes"/"no" to allow the server to specify whether just local or remote TCP forwarding is enabled. ok markus@
Revision 1.232 / (download) - annotate - [select for diffs], Sun Nov 4 11:09:15 2012 UTC (11 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.231: +25 -1 lines
Diff to previous 1.231 (colored)
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
Revision 1.231 / (download) - annotate - [select for diffs], Tue Oct 30 21:29:54 2012 UTC (11 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.230: +29 -1 lines
Diff to previous 1.230 (colored)
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option. patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
Revision 1.230 / (download) - annotate - [select for diffs], Thu Sep 13 23:37:36 2012 UTC (11 years, 8 months ago) by dtucker
Branch: MAIN
Changes since 1.229: +4 -3 lines
Diff to previous 1.229 (colored)
Fix comment line length
Revision 1.229 / (download) - annotate - [select for diffs], Fri Jul 13 01:35:21 2012 UTC (11 years, 10 months ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.228: +6 -2 lines
Diff to previous 1.228 (colored)
handle long comments in config files better. bz#2025, ok markus
Revision 1.228 / (download) - annotate - [select for diffs], Tue Jul 10 02:19:15 2012 UTC (11 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.227: +5 -4 lines
Diff to previous 1.227 (colored)
Turn on systrace sandboxing of pre-auth sshd by default for new installs by shipping a config that overrides the current UsePrivilegeSeparation=yes default. Make it easier to flip the default in the future by adding too. prodded markus@ feedback dtucker@ "get it in" deraadt@
Revision 1.227 / (download) - annotate - [select for diffs], Tue Jun 19 18:25:27 2012 UTC (11 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.226: +17 -8 lines
Diff to previous 1.226 (colored)
sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups}
this allows 'Match LocalPort 1022' combined with 'AllowUser bauer'
ok djm@ (back in March)
Revision 1.226 / (download) - annotate - [select for diffs], Sun May 13 01:42:32 2012 UTC (12 years ago) by dtucker
Branch: MAIN
Changes since 1.225: +135 -28 lines
Diff to previous 1.225 (colored)
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
Revision 1.225 / (download) - annotate - [select for diffs], Thu Apr 12 02:42:32 2012 UTC (12 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.224: +23 -3 lines
Diff to previous 1.224 (colored)
VersionAddendum option to allow server operators to append some arbitrary text to the SSH-... banner; ok deraadt@ "don't care" markus@
Revision 1.224 / (download) - annotate - [select for diffs], Thu Mar 29 23:54:36 2012 UTC (12 years, 1 month ago) by dtucker
Branch: MAIN
Changes since 1.223: +9 -1 lines
Diff to previous 1.223 (colored)
Add PermitOpen none option based on patch from Loganaden Velvindron (bz #1949). ok djm@
Revision 1.223 / (download) - annotate - [select for diffs], Fri Sep 23 00:22:04 2011 UTC (12 years, 7 months ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.222: +2 -2 lines
Diff to previous 1.222 (colored)
Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857, ok djm markus.
Revision 1.222 / (download) - annotate - [select for diffs], Wed Jun 22 21:57:01 2011 UTC (12 years, 10 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.221: +12 -3 lines
Diff to previous 1.221 (colored)
introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@
Revision 1.221 / (download) - annotate - [select for diffs], Wed Jun 22 21:47:28 2011 UTC (12 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.220: +34 -37 lines
Diff to previous 1.220 (colored)
reuse the multistate option arrays to pretty-print options for "sshd -T"
Revision 1.220 / (download) - annotate - [select for diffs], Fri Jun 17 21:47:35 2011 UTC (12 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.219: +56 -70 lines
Diff to previous 1.219 (colored)
factor out multi-choice option parsing into a parse_multistate label and some support structures; ok dtucker@
Revision 1.219 / (download) - annotate - [select for diffs], Mon May 23 03:30:07 2011 UTC (12 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.218: +46 -11 lines
Diff to previous 1.218 (colored)
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :) feedback and ok markus@ dtucker@
Revision 1.218 / (download) - annotate - [select for diffs], Fri May 20 03:25:45 2011 UTC (13 years ago) by djm
Branch: MAIN
Changes since 1.217: +3 -6 lines
Diff to previous 1.217 (colored)
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering "this is at once beautiful and horrible" + ok dtucker@
Revision 1.217 / (download) - annotate - [select for diffs], Fri May 20 02:00:19 2011 UTC (13 years ago) by dtucker
Branch: MAIN
Changes since 1.216: +5 -1 lines
Diff to previous 1.216 (colored)
Add comment documenting what should be after the preauth check. ok djm
Revision 1.216 / (download) - annotate - [select for diffs], Fri May 20 00:55:02 2011 UTC (13 years ago) by djm
Branch: MAIN
Changes since 1.215: +6 -5 lines
Diff to previous 1.215 (colored)
the options TrustedUserCAKeys, RevokedKeysFile, AuthorizedKeysFile and AuthorizedPrincipalsFile were not being correctly applied in Match blocks, despite being overridable there; ok dtucker@
Revision 1.215 / (download) - annotate - [select for diffs], Wed May 11 04:47:06 2011 UTC (13 years ago) by djm
Branch: MAIN
Changes since 1.214: +1 -14 lines
Diff to previous 1.214 (colored)
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
Revision 1.214 / (download) - annotate - [select for diffs], Tue Mar 29 18:54:17 2011 UTC (13 years, 1 month ago) by stevesk
Branch: MAIN
Changes since 1.213: +3 -2 lines
Diff to previous 1.213 (colored)
print ipqos friendly string for sshd -T; ok markus # sshd -Tf sshd_config|grep ipqos ipqos lowdelay throughput
Revision 1.213 / (download) - annotate - [select for diffs], Sat Nov 13 23:27:50 2010 UTC (13 years, 6 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.212: +35 -3 lines
Diff to previous 1.212 (colored)
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
Revision 1.212 / (download) - annotate - [select for diffs], Thu Sep 30 11:04:51 2010 UTC (13 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.211: +4 -4 lines
Diff to previous 1.211 (colored)
prevent free() of string in .rodata when overriding AuthorizedKeys in a Match block; patch from rein AT basefarm.no
Revision 1.211 / (download) - annotate - [select for diffs], Wed Sep 22 05:01:29 2010 UTC (13 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.210: +16 -1 lines
Diff to previous 1.210 (colored)
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference. ok markus@
Revision 1.210 / (download) - annotate - [select for diffs], Wed Sep 1 15:21:35 2010 UTC (13 years, 8 months ago) by naddy
Branch: MAIN
Changes since 1.209: +3 -1 lines
Diff to previous 1.209 (colored)
pick up ECDSA host key by default; ok djm@
Revision 1.209 / (download) - annotate - [select for diffs], Tue Jun 22 04:22:59 2010 UTC (13 years, 10 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.208: +11 -6 lines
Diff to previous 1.208 (colored)
expose some more sshd_config options inside Match blocks: AuthorizedKeysFile AuthorizedPrincipalsFile HostbasedUsesNameFromPacketOnly PermitTunnel bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@
Revision 1.208 / (download) - annotate - [select for diffs], Fri May 7 11:30:29 2010 UTC (14 years ago) by djm
Branch: MAIN
Changes since 1.207: +13 -5 lines
Diff to previous 1.207 (colored)
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@
Revision 1.207 / (download) - annotate - [select for diffs], Thu Mar 25 23:38:28 2010 UTC (14 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.206: +3 -4 lines
Diff to previous 1.206 (colored)
from portable: getcwd(NULL, 0) doesn't work on all platforms, so use a stack buffer; ok dtucker@
Revision 1.206 / (download) - annotate - [select for diffs], Fri Mar 12 11:37:40 2010 UTC (14 years, 2 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.205: +3 -3 lines
Diff to previous 1.205 (colored)
do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths free() (not xfree()) the buffer returned by getcwd()
Revision 1.205 / (download) - annotate - [select for diffs], Fri Mar 12 01:06:25 2010 UTC (14 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.204: +12 -2 lines
Diff to previous 1.204 (colored)
unbreak AuthorizedKeys option with a $HOME-relative path; reported by vinschen AT redhat.com, ok dtucker@
Revision 1.204 / (download) - annotate - [select for diffs], Thu Mar 4 10:36:03 2010 UTC (14 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.203: +18 -1 lines
Diff to previous 1.203 (colored)
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys). Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication. feedback and ok markus@
Revision 1.203 / (download) - annotate - [select for diffs], Fri Feb 26 20:29:54 2010 UTC (14 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.202: +17 -2 lines
Diff to previous 1.202 (colored)
Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
Revision 1.202 / (download) - annotate - [select for diffs], Wed Jan 13 03:48:12 2010 UTC (14 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.201: +18 -2 lines
Diff to previous 1.201 (colored)
avoid run-time failures when specifying hostkeys via a relative path by prepending the cwd in these cases; bz#1290; ok dtucker@
Revision 1.201 / (download) - annotate - [select for diffs], Sun Jan 10 03:51:17 2010 UTC (14 years, 4 months ago) by dtucker
Branch: MAIN
Changes since 1.200: +2 -1 lines
Diff to previous 1.200 (colored)
Add ChrootDirectory to sshd.c test-mode output
Revision 1.200 / (download) - annotate - [select for diffs], Sat Jan 9 23:04:13 2010 UTC (14 years, 4 months ago) by dtucker
Branch: MAIN
Changes since 1.199: +2 -18 lines
Diff to previous 1.199 (colored)
Remove RoutingDomain from ssh since it's now not needed. It can be replaced with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures that trafic such as DNS lookups stays withing the specified routingdomain. For example (from reyk): # route -T 2 exec /usr/sbin/sshd or inherited from the parent process $ route -T 2 exec sh $ ssh 10.1.2.3 ok deraadt@ markus@ stevesk@ reyk@
Revision 1.199 / (download) - annotate - [select for diffs], Tue Dec 29 16:38:41 2009 UTC (14 years, 4 months ago) by stevesk
Branch: MAIN
Changes since 1.198: +2 -2 lines
Diff to previous 1.198 (colored)
Rename RDomain config option to RoutingDomain to be more clear and consistent with other options. NOTE: if you currently use RDomain in the ssh client or server config, or ssh/sshd -o, you must update to use RoutingDomain. ok markus@ djm@
Revision 1.198 / (download) - annotate - [select for diffs], Fri Dec 25 19:40:21 2009 UTC (14 years, 4 months ago) by stevesk
Branch: MAIN
Changes since 1.197: +11 -2 lines
Diff to previous 1.197 (colored)
validate routing domain is in range 0-RT_TABLEID_MAX. 'Looks right' deraadt@
Revision 1.197 / (download) - annotate - [select for diffs], Wed Oct 28 16:38:18 2009 UTC (14 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.196: +9 -2 lines
Diff to previous 1.196 (colored)
Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan. ok markus@
Revision 1.196 / (download) - annotate - [select for diffs], Thu Oct 8 14:03:41 2009 UTC (14 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.195: +2 -2 lines
Diff to previous 1.195 (colored)
disable protocol 1 by default (after a transition period of about 10 years) ok deraadt
Revision 1.195 / (download) - annotate - [select for diffs], Tue Apr 14 21:10:54 2009 UTC (15 years, 1 month ago) by jj
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.194: +2 -2 lines
Diff to previous 1.194 (colored)
Fixed a few the-the misspellings in comments. Skipped a bunch in binutils,gcc and so on. ok jmc@
Revision 1.194 / (download) - annotate - [select for diffs], Thu Jan 22 10:02:34 2009 UTC (15 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.193: +10 -10 lines
Diff to previous 1.193 (colored)
make a2port() return -1 when it encounters an invalid port number rather than 0, which it will now treat as valid (needed for future work) adjust current consumers of a2port() to check its return value is <= 0, which in turn required some things to be converted from u_short => int make use of int vs. u_short consistent in some other places too feedback & ok markus@
Revision 1.193 / (download) - annotate - [select for diffs], Tue Dec 9 03:20:42 2008 UTC (15 years, 5 months ago) by stevesk
Branch: MAIN
Changes since 1.192: +1 -3 lines
Diff to previous 1.192 (colored)
channel_print_adm_permitted_opens() should deal with all the printing for that config option. suggested by markus@; ok markus@ djm@ dtucker@
Revision 1.192 / (download) - annotate - [select for diffs], Tue Nov 11 02:58:09 2008 UTC (15 years, 6 months ago) by stevesk
Branch: MAIN
Changes since 1.191: +1 -3 lines
Diff to previous 1.191 (colored)
USE_AFS not referenced so remove #ifdef. fixes sshd -T not printing kerberosgetafstoken. ok dtucker@
Revision 1.191 / (download) - annotate - [select for diffs], Wed Nov 5 11:22:54 2008 UTC (15 years, 6 months ago) by jmc
Branch: MAIN
Changes since 1.190: +2 -2 lines
Diff to previous 1.190 (colored)
passord -> password; fixes user/5975 from Rene Maroufi
Revision 1.190 / (download) - annotate - [select for diffs], Tue Nov 4 08:22:13 2008 UTC (15 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.189: +19 -1 lines
Diff to previous 1.189 (colored)
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008. This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint. This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc). "just commit it. It isn't too intrusive." deraadt@
Revision 1.189 / (download) - annotate - [select for diffs], Mon Nov 3 08:59:41 2008 UTC (15 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.188: +2 -1 lines
Diff to previous 1.188 (colored)
include MaxSessions in sshd -T output; patch from imorgan AT nas.nasa.gov
Revision 1.188 / (download) - annotate - [select for diffs], Thu Oct 9 03:50:54 2008 UTC (15 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.187: +3 -2 lines
Diff to previous 1.187 (colored)
support setting PermitEmptyPasswords in a Match block requested in PR3891; ok dtucker@
Revision 1.187 / (download) - annotate - [select for diffs], Wed Jul 23 07:36:55 2008 UTC (15 years, 9 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.186: +7 -1 lines
Diff to previous 1.186 (colored)
do not try to print options that have been compile-time disabled in config test mode (sshd -T); report from nix-corp AT esperi.org.uk ok dtucker@
Revision 1.186 / (download) - annotate - [select for diffs], Fri Jul 4 03:44:59 2008 UTC (15 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.185: +6 -23 lines
Diff to previous 1.185 (colored)
support negation of groups in "Match group" block (bz#1315); ok dtucker@
Revision 1.185 / (download) - annotate - [select for diffs], Wed Jul 2 02:24:18 2008 UTC (15 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.184: +2 -2 lines
Diff to previous 1.184 (colored)
increase default size of ssh protocol 1 ephemeral key from 768 to 1024 bits; prodded by & ok dtucker@ ok deraadt@
Revision 1.184 / (download) - annotate - [select for diffs], Sun Jun 15 16:58:40 2008 UTC (15 years, 11 months ago) by dtucker
Branch: MAIN
Changes since 1.183: +3 -2 lines
Diff to previous 1.183 (colored)
Allow MaxAuthTries within a Match block. ok djm@
Revision 1.183 / (download) - annotate - [select for diffs], Tue Jun 10 23:06:19 2008 UTC (15 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.182: +3 -2 lines
Diff to previous 1.182 (colored)
support CIDR address matching in .ssh/authorized_keys from="..." stanzas ok and extensive testing dtucker@
Revision 1.182 / (download) - annotate - [select for diffs], Tue Jun 10 04:50:25 2008 UTC (15 years, 11 months ago) by dtucker
Branch: MAIN
Changes since 1.181: +230 -11 lines
Diff to previous 1.181 (colored)
Add extended test mode (-T) and connection parameters for test mode (-C). -T causes sshd to write its effective configuration to stdout and exit. -C causes any relevant Match rules to be applied before output. The combination allows tesing of the parser and config files. ok deraadt djm
Revision 1.181 / (download) - annotate - [select for diffs], Tue Jun 10 03:57:27 2008 UTC (15 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.180: +10 -8 lines
Diff to previous 1.180 (colored)
support CIDR address matching in sshd_config "Match address" blocks, with
full support for negation and fall-back to classic wildcard matching.
For example:
Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
PasswordAuthentication yes
addrmatch.c code mostly lifted from flowd's addr.c
feedback and ok dtucker@
Revision 1.180 / (download) - annotate - [select for diffs], Thu May 8 12:21:16 2008 UTC (16 years ago) by djm
Branch: MAIN
Changes since 1.179: +15 -6 lines
Diff to previous 1.179 (colored)
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions. Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal(). bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com ok markus@
Revision 1.179 / (download) - annotate - [select for diffs], Thu May 8 12:02:23 2008 UTC (16 years ago) by djm
Branch: MAIN
Changes since 1.178: +2 -1 lines
Diff to previous 1.178 (colored)
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel). Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory. ok markus@ (as part of a larger diff)
Revision 1.178 / (download) - annotate - [select for diffs], Wed May 7 05:49:37 2008 UTC (16 years ago) by pyr
Branch: MAIN
Changes since 1.177: +11 -2 lines
Diff to previous 1.177 (colored)
Enable the AllowAgentForwarding option in sshd_config (global and match context), to specify if agents should be permitted on the server. As the man page states: ``Note that disabling Agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.'' ok djm@, ok and a mild frown markus@
Revision 1.177 / (download) - annotate - [select for diffs], Sun Feb 10 10:54:28 2008 UTC (16 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.176: +9 -2 lines
Diff to previous 1.176 (colored)
delay ~ expansion for ChrootDirectory so it expands to the logged-in user's home, rather than the user who starts sshd (probably root)
Revision 1.176 / (download) - annotate - [select for diffs], Fri Feb 8 23:24:08 2008 UTC (16 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.175: +10 -2 lines
Diff to previous 1.175 (colored)
add sshd_config ChrootDirectory option to chroot(2) users to a directory and tweak internal sftp server to work with it (no special files in chroot required). ok markus@
Revision 1.175 / (download) - annotate - [select for diffs], Tue Jan 1 09:27:33 2008 UTC (16 years, 4 months ago) by dtucker
Branch: MAIN
Changes since 1.174: +4 -3 lines
Diff to previous 1.174 (colored)
Allow PermitRootLogin in a Match block. Allows for, eg, permitting root only from the local network. ok markus@, man page bit ok jmc@
Revision 1.174 / (download) - annotate - [select for diffs], Mon Dec 31 10:41:31 2007 UTC (16 years, 4 months ago) by dtucker
Branch: MAIN
Changes since 1.173: +9 -7 lines
Diff to previous 1.173 (colored)
Prevent strict-aliasing warnings on newer gcc versions. bz #1355, patch from Dmitry V. Levin, ok djm@
Revision 1.173 / (download) - annotate - [select for diffs], Thu Dec 27 14:22:08 2007 UTC (16 years, 4 months ago) by dtucker
Branch: MAIN
Changes since 1.172: +2 -2 lines
Diff to previous 1.172 (colored)
Add a small helper function to consistently handle the EAI_SYSTEM error code of getaddrinfo. Prompted by vgiffin at apple com via bz #1417. ok markus@ stevesk@
Revision 1.172 / (download) - annotate - [select for diffs], Mon Apr 23 10:15:39 2007 UTC (17 years ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2
Changes since 1.171: +1 -2 lines
Diff to previous 1.171 (colored)
Remove debug() left over from development. ok deraadt@
Revision 1.171 / (download) - annotate - [select for diffs], Fri Mar 9 05:20:06 2007 UTC (17 years, 2 months ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.170: +1 -5 lines
Diff to previous 1.170 (colored)
Move C/R -> kbdint special case to after the defaults have been loaded, which makes ChallengeResponse default to yes again. This was broken by the Match changes and not fixed properly subsequently. Found by okan at demirmen.com, ok djm@ "please do it" deraadt@
Revision 1.170 / (download) - annotate - [select for diffs], Thu Mar 1 10:28:02 2007 UTC (17 years, 2 months ago) by dtucker
Branch: MAIN
Changes since 1.169: +6 -3 lines
Diff to previous 1.169 (colored)
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
Revision 1.169 / (download) - annotate - [select for diffs], Thu Feb 22 12:58:40 2007 UTC (17 years, 2 months ago) by dtucker
Branch: MAIN
Changes since 1.168: +2 -2 lines
Diff to previous 1.168 (colored)
Check activep so Match and GatewayPorts work together; ok markus@
Revision 1.168 / (download) - annotate - [select for diffs], Mon Feb 19 10:45:58 2007 UTC (17 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.167: +57 -31 lines
Diff to previous 1.167 (colored)
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
Revision 1.167 / (download) - annotate - [select for diffs], Thu Dec 14 10:01:14 2006 UTC (17 years, 5 months ago) by dtucker
Branch: MAIN
Changes since 1.166: +3 -3 lines
Diff to previous 1.166 (colored)
Make "PermitOpen all" first-match within a block to match the way other options work. ok markus@ djm@
Revision 1.166 / (download) - annotate - [select for diffs], Wed Dec 13 08:34:39 2006 UTC (17 years, 5 months ago) by dtucker
Branch: MAIN
Changes since 1.165: +5 -4 lines
Diff to previous 1.165 (colored)
Make PermitOpen work with multiple values like the man pages says. bz #1267 with details from peter at dmtz.com, with & ok djm@
Revision 1.144.2.2 / (download) - annotate - [select for diffs], Fri Oct 6 03:19:33 2006 UTC (17 years, 7 months ago) by brad
Branch: OPENBSD_3_8
Changes since 1.144.2.1: +395 -98 lines
Diff to previous 1.144.2.1 (colored) to branchpoint 1.144 (colored) next main 1.145 (colored)
upgrade to OpenSSH 4.4
Revision 1.146.2.1 / (download) - annotate - [select for diffs], Sat Sep 30 04:06:51 2006 UTC (17 years, 7 months ago) by brad
Branch: OPENBSD_3_9
Changes since 1.146: +395 -98 lines
Diff to previous 1.146 (colored) next main 1.147 (colored)
upgrade to OpenSSH 4.4
Revision 1.165 / (download) - annotate - [select for diffs], Mon Aug 14 12:40:25 2006 UTC (17 years, 9 months ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.164: +55 -1 lines
Diff to previous 1.164 (colored)
Add ability to match groups to Match keyword in sshd_config. Feedback djm@, stevesk@, ok stevesk@.
Revision 1.164 / (download) - annotate - [select for diffs], Thu Aug 3 03:34:42 2006 UTC (17 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.163: +6 -4 lines
Diff to previous 1.163 (colored)
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
Revision 1.163 / (download) - annotate - [select for diffs], Tue Aug 1 23:36:12 2006 UTC (17 years, 9 months ago) by stevesk
Branch: MAIN
Changes since 1.162: +3 -3 lines
Diff to previous 1.162 (colored)
clean extra spaces
Revision 1.162 / (download) - annotate - [select for diffs], Tue Aug 1 23:22:47 2006 UTC (17 years, 9 months ago) by stevesk
Branch: MAIN
Changes since 1.161: +2 -1 lines
Diff to previous 1.161 (colored)
move #include <stdio.h> out of includes.h
Revision 1.161 / (download) - annotate - [select for diffs], Wed Jul 26 13:57:17 2006 UTC (17 years, 9 months ago) by stevesk
Branch: MAIN
Changes since 1.160: +2 -1 lines
Diff to previous 1.160 (colored)
move #include <stdlib.h> out of includes.h
Revision 1.160 / (download) - annotate - [select for diffs], Sat Jul 22 20:48:23 2006 UTC (17 years, 9 months ago) by stevesk
Branch: MAIN
Changes since 1.159: +2 -1 lines
Diff to previous 1.159 (colored)
move #include <string.h> out of includes.h
Revision 1.159 / (download) - annotate - [select for diffs], Fri Jul 21 12:43:36 2006 UTC (17 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.158: +20 -12 lines
Diff to previous 1.158 (colored)
Make PermitOpen take a list of permitted ports and act more like most other keywords (ie the first match is the effective setting). This also makes it easier to override a previously set PermitOpen. ok djm@
Revision 1.158 / (download) - annotate - [select for diffs], Wed Jul 19 13:07:10 2006 UTC (17 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.157: +20 -2 lines
Diff to previous 1.157 (colored)
Add ForceCommand keyword to sshd_config, equivalent to the "command=" key option, man page entry and example in sshd_config. Feedback & ok djm@, man page corrections & ok jmc@
Revision 1.157 / (download) - annotate - [select for diffs], Wed Jul 19 08:56:41 2006 UTC (17 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.156: +10 -4 lines
Diff to previous 1.156 (colored)
Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to Match. ok djm@
Revision 1.156 / (download) - annotate - [select for diffs], Mon Jul 17 12:06:00 2006 UTC (17 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.155: +26 -2 lines
Diff to previous 1.155 (colored)
Add PermitOpen directive to sshd_config which is equivalent to the "permitopen" key option. Allows server admin to allow TCP port forwarding only two specific host/port pairs. Useful when combined with Match. If permitopen is used in both sshd_config and a key option, both must allow a given connection before it will be permitted. Note that users can still use external forwarders such as netcat, so to be those must be controlled too for the limits to be effective. Feedback & ok djm@, man page corrections & ok jmc@.
Revision 1.155 / (download) - annotate - [select for diffs], Mon Jul 17 01:31:09 2006 UTC (17 years, 10 months ago) by stevesk
Branch: MAIN
Changes since 1.154: +2 -1 lines
Diff to previous 1.154 (colored)
move #include <unistd.h> out of includes.h
Revision 1.154 / (download) - annotate - [select for diffs], Wed Jul 12 22:28:52 2006 UTC (17 years, 10 months ago) by stevesk
Branch: MAIN
Changes since 1.153: +3 -1 lines
Diff to previous 1.153 (colored)
move #include <netdb.h> out of includes.h; ok djm@
Revision 1.153 / (download) - annotate - [select for diffs], Wed Jul 12 11:34:58 2006 UTC (17 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.152: +256 -93 lines
Diff to previous 1.152 (colored)
Add support for conditional directives to sshd_config via a "Match" keyword,
which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section
if the condition on the Match line is true, eg
AllowTcpForwarding yes
Match User anoncvs
AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
Revision 1.152 / (download) - annotate - [select for diffs], Sat Jul 8 21:47:12 2006 UTC (17 years, 10 months ago) by stevesk
Branch: MAIN
Changes since 1.151: +4 -1 lines
Diff to previous 1.151 (colored)
move #include <sys/socket.h> out of includes.h
Revision 1.151 / (download) - annotate - [select for diffs], Thu Jul 6 10:47:05 2006 UTC (17 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.150: +13 -1 lines
Diff to previous 1.150 (colored)
support arguments to Subsystem commands; ok markus@
Revision 1.150 / (download) - annotate - [select for diffs], Sat Mar 25 13:17:02 2006 UTC (18 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.149: +1 -0 lines
Diff to previous 1.149 (colored)
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
Revision 1.149 / (download) - annotate - [select for diffs], Sun Mar 19 18:51:18 2006 UTC (18 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.148: +0 -1 lines
Diff to previous 1.148 (colored)
RCSID() can die
Revision 1.148 / (download) - annotate - [select for diffs], Sun Mar 19 11:51:52 2006 UTC (18 years, 2 months ago) by dtucker
Branch: MAIN
Changes since 1.147: +2 -2 lines
Diff to previous 1.147 (colored)
Correct strdelim null test; ok djm@
Revision 1.147 / (download) - annotate - [select for diffs], Sun Mar 19 02:24:05 2006 UTC (18 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.146: +3 -2 lines
Diff to previous 1.146 (colored)
potential NULL pointer dereferences detected by Coverity via elad AT netbsd.org; ok deraadt@
Revision 1.144.2.1 / (download) - annotate - [select for diffs], Fri Feb 3 03:01:56 2006 UTC (18 years, 3 months ago) by brad
Branch: OPENBSD_3_8
Changes since 1.144: +28 -2 lines
Diff to previous 1.144 (colored)
upgrade to OpenSSH 4.3
Revision 1.140.2.2 / (download) - annotate - [select for diffs], Fri Feb 3 02:53:44 2006 UTC (18 years, 3 months ago) by brad
Branch: OPENBSD_3_7
Changes since 1.140.2.1: +28 -2 lines
Diff to previous 1.140.2.1 (colored) to branchpoint 1.140 (colored) next main 1.141 (colored)
upgrade to OpenSSH 4.3
Revision 1.146 / (download) - annotate - [select for diffs], Thu Dec 8 18:34:11 2005 UTC (18 years, 5 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE
Branch point for: OPENBSD_3_9
Changes since 1.145: +21 -3 lines
Diff to previous 1.145 (colored)
two changes to the new ssh tunnel support. this breaks compatibility with the initial commit but is required for a portable approach. - make the tunnel id u_int and platform friendly, use predefined types. - support configuration of layer 2 (ethernet) or layer 3 (point-to-point, default) modes. configuration is done using the Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option in sshd_config(5). ok djm@, man page bits by jmc@
Revision 1.145 / (download) - annotate - [select for diffs], Tue Dec 6 22:38:27 2005 UTC (18 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.144: +10 -2 lines
Diff to previous 1.144 (colored)
Add support for tun(4) forwarding over OpenSSH, based on an idea and initial channel code bits by markus@. This is a simple and easy way to use OpenSSH for ad hoc virtual private network connections, e.g. administrative tunnels or secure wireless access. It's based on a new ssh channel and works similar to the existing TCP forwarding support, except that it depends on the tun(4) network interface on both ends of the connection for layer 2 or layer 3 tunneling. This diff also adds support for LocalCommand in the ssh(1) client. ok djm@, markus@, jmc@ (manpages), tested and discussed with others
Revision 1.140.2.1 / (download) - annotate - [select for diffs], Sun Sep 4 18:40:03 2005 UTC (18 years, 8 months ago) by brad
Branch: OPENBSD_3_7
Changes since 1.140: +31 -5 lines
Diff to previous 1.140 (colored)
upgrade to OpenSSH 4.2
Revision 1.137.2.3 / (download) - annotate - [select for diffs], Fri Sep 2 03:45:00 2005 UTC (18 years, 8 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.137.2.2: +31 -5 lines
Diff to previous 1.137.2.2 (colored) to branchpoint 1.137 (colored) next main 1.138 (colored)
upgrade to OpenSSH 4.2
Revision 1.144 / (download) - annotate - [select for diffs], Sat Aug 6 10:03:12 2005 UTC (18 years, 9 months ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE
Branch point for: OPENBSD_3_8
Changes since 1.143: +7 -1 lines
Diff to previous 1.143 (colored)
Unbreak sshd ListenAddress for bare IPv6 addresses. Report from Janusz Mucka; ok djm@
Revision 1.143 / (download) - annotate - [select for diffs], Mon Jul 25 11:59:40 2005 UTC (18 years, 9 months ago) by markus
Branch: MAIN
Changes since 1.142: +19 -3 lines
Diff to previous 1.142 (colored)
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd. this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
Revision 1.142 / (download) - annotate - [select for diffs], Fri Jun 17 02:44:33 2005 UTC (18 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.141: +4 -3 lines
Diff to previous 1.141 (colored)
make this -Wsign-compare clean; ok avsm@ markus@
Revision 1.137.2.2 / (download) - annotate - [select for diffs], Sun Jun 5 02:22:39 2005 UTC (18 years, 11 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.137.2.1: +2 -2 lines
Diff to previous 1.137.2.1 (colored) to branchpoint 1.137 (colored)
upgrade to OpenSSH 4.1
Revision 1.141 / (download) - annotate - [select for diffs], Mon May 16 15:30:51 2005 UTC (19 years ago) by markus
Branch: MAIN
Changes since 1.140: +4 -1 lines
Diff to previous 1.140 (colored)
check return value from strdelim() for NULL (AddressFamily); mpech
Revision 1.140 / (download) - annotate - [select for diffs], Thu Mar 10 22:01:05 2005 UTC (19 years, 2 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE
Branch point for: OPENBSD_3_7
Changes since 1.139: +2 -2 lines
Diff to previous 1.139 (colored)
spacing
Revision 1.130.2.2 / (download) - annotate - [select for diffs], Thu Mar 10 17:15:04 2005 UTC (19 years, 2 months ago) by brad
Branch: OPENBSD_3_5
Changes since 1.130.2.1: +57 -36 lines
Diff to previous 1.130.2.1 (colored) to branchpoint 1.130 (colored) next main 1.131 (colored)
upgrade to OpenSSH 4.0
Revision 1.137.2.1 / (download) - annotate - [select for diffs], Thu Mar 10 16:28:27 2005 UTC (19 years, 2 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.137: +57 -36 lines
Diff to previous 1.137 (colored)
upgrade to OpenSSH 4.0
Revision 1.139 / (download) - annotate - [select for diffs], Tue Mar 1 10:09:52 2005 UTC (19 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.138: +32 -33 lines
Diff to previous 1.138 (colored)
bz#413: allow optional specification of bind address for port forwardings. Patch originally by Dan Astorian, but worked on by several people Adds GatewayPorts=clientspecified option on server to allow remote forwards to bind to client-specified ports. ok markus@
Revision 1.138 / (download) - annotate - [select for diffs], Thu Dec 23 23:11:00 2004 UTC (19 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.137: +27 -5 lines
Diff to previous 1.137 (colored)
bz #898: support AddressFamily in sshd_config. from peak@argo.troja.mff.cuni.cz ok deraadt@
Revision 1.127.2.2 / (download) - annotate - [select for diffs], Thu Aug 19 22:37:32 2004 UTC (19 years, 9 months ago) by brad
Branch: OPENBSD_3_4
Changes since 1.127.2.1: +62 -15 lines
Diff to previous 1.127.2.1 (colored) to branchpoint 1.127 (colored) next main 1.128 (colored)
upgrade to OpenSSH 3.9
Revision 1.130.2.1 / (download) - annotate - [select for diffs], Thu Aug 19 04:13:27 2004 UTC (19 years, 9 months ago) by brad
Branch: OPENBSD_3_5
Changes since 1.130: +62 -15 lines
Diff to previous 1.130 (colored)
upgrade to OpenSSH 3.9
Revision 1.137 / (download) - annotate - [select for diffs], Fri Aug 13 11:09:24 2004 UTC (19 years, 9 months ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE
Branch point for: OPENBSD_3_6
Changes since 1.136: +2 -2 lines
Diff to previous 1.136 (colored)
Fix line numbers off-by-one in error messages, from tortay at cc.in2p3.fr ok markus@, djm@
Revision 1.136 / (download) - annotate - [select for diffs], Wed Aug 11 11:09:54 2004 UTC (19 years, 9 months ago) by dtucker
Branch: MAIN
Changes since 1.135: +4 -4 lines
Diff to previous 1.135 (colored)
Fix minor leak; "looks right" deraadt@
Revision 1.135 / (download) - annotate - [select for diffs], Sun Jul 11 17:48:47 2004 UTC (19 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.134: +2 -2 lines
Diff to previous 1.134 (colored)
spaces
Revision 1.134 / (download) - annotate - [select for diffs], Thu Jun 24 19:30:54 2004 UTC (19 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.133: +36 -12 lines
Diff to previous 1.133 (colored)
re-exec sshd on accept(); initial work, final debugging and ok markus@
Revision 1.133 / (download) - annotate - [select for diffs], Sun May 23 23:59:53 2004 UTC (19 years, 11 months ago) by dtucker
Branch: MAIN
Changes since 1.132: +11 -2 lines
Diff to previous 1.132 (colored)
Add MaxAuthTries sshd config option; ok markus@
Revision 1.132 / (download) - annotate - [select for diffs], Sat May 8 00:01:37 2004 UTC (20 years ago) by deraadt
Branch: MAIN
Changes since 1.131: +1 -2 lines
Diff to previous 1.131 (colored)
make two tiny header files go away; djm ok
Revision 1.131 / (download) - annotate - [select for diffs], Tue Apr 27 09:46:37 2004 UTC (20 years ago) by djm
Branch: MAIN
Changes since 1.130: +17 -2 lines
Diff to previous 1.130 (colored)
bz #815: implement ability to pass specified environment variables from the client to the server; ok markus@
Revision 1.116.2.2 / (download) - annotate - [select for diffs], Thu Mar 4 18:18:16 2004 UTC (20 years, 2 months ago) by brad
Branch: OPENBSD_3_3
Changes since 1.116.2.1: +21 -10 lines
Diff to previous 1.116.2.1 (colored) to branchpoint 1.116 (colored) next main 1.117 (colored)
upgrade to OpenSSH 3.8upgrade to OpenSSH 3.8upgrade to OpenSSH 3.8
Revision 1.127.2.1 / (download) - annotate - [select for diffs], Sat Feb 28 03:51:33 2004 UTC (20 years, 2 months ago) by brad
Branch: OPENBSD_3_4
Changes since 1.127: +21 -10 lines
Diff to previous 1.127 (colored)
upgrade to OpenSSH 3.8
Revision 1.130 / (download) - annotate - [select for diffs], Tue Dec 23 16:12:10 2003 UTC (20 years, 4 months ago) by jakob
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE
Branch point for: OPENBSD_3_5
Changes since 1.129: +11 -1 lines
Diff to previous 1.129 (colored)
implement KerberosGetAFSToken server option. ok markus@, beck@
Revision 1.129 / (download) - annotate - [select for diffs], Tue Dec 9 21:53:36 2003 UTC (20 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.128: +9 -8 lines
Diff to previous 1.128 (colored)
rename keepalive to tcpkeepalive; the old name causes too much confusion; ok djm, dtucker; with help from jmc@
Revision 1.128 / (download) - annotate - [select for diffs], Mon Sep 29 20:19:57 2003 UTC (20 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.127: +3 -3 lines
Diff to previous 1.127 (colored)
GSSAPICleanupCreds -> GSSAPICleanupCredentials
Revision 1.115.2.2 / (download) - annotate - [select for diffs], Tue Sep 16 21:20:27 2003 UTC (20 years, 8 months ago) by brad
Branch: OPENBSD_3_2
Changes since 1.115.2.1: +50 -71 lines
Diff to previous 1.115.2.1 (colored) to branchpoint 1.115 (colored) next main 1.116 (colored)
upgrade to OpenSSH 3.7
Revision 1.116.2.1 / (download) - annotate - [select for diffs], Tue Sep 16 20:50:43 2003 UTC (20 years, 8 months ago) by brad
Branch: OPENBSD_3_3
Changes since 1.116: +50 -71 lines
Diff to previous 1.116 (colored)
upgrade to OpenSSH 3.7
Revision 1.127 / (download) - annotate - [select for diffs], Mon Sep 1 18:15:50 2003 UTC (20 years, 8 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE
Branch point for: OPENBSD_3_4
Changes since 1.126: +1 -8 lines
Diff to previous 1.126 (colored)
remove unused kerberos code; ok henning@
Revision 1.126 / (download) - annotate - [select for diffs], Thu Aug 28 12:54:34 2003 UTC (20 years, 8 months ago) by markus
Branch: MAIN
Changes since 1.125: +2 -3 lines
Diff to previous 1.125 (colored)
remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
Revision 1.125 / (download) - annotate - [select for diffs], Fri Aug 22 10:56:09 2003 UTC (20 years, 8 months ago) by markus
Branch: MAIN
Changes since 1.124: +23 -1 lines
Diff to previous 1.124 (colored)
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
Revision 1.124 / (download) - annotate - [select for diffs], Wed Aug 13 08:46:30 2003 UTC (20 years, 9 months ago) by markus
Branch: MAIN
Changes since 1.123: +3 -10 lines
Diff to previous 1.123 (colored)
remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@, fgsch@, miod@, henning@, jakob@ and others
Revision 1.123 / (download) - annotate - [select for diffs], Tue Jul 22 13:35:22 2003 UTC (20 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.122: +3 -21 lines
Diff to previous 1.122 (colored)
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
Revision 1.122 / (download) - annotate - [select for diffs], Mon Jun 2 09:17:34 2003 UTC (20 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.121: +10 -9 lines
Diff to previous 1.121 (colored)
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
Revision 1.121 / (download) - annotate - [select for diffs], Thu May 15 14:02:47 2003 UTC (21 years ago) by jakob
Branch: MAIN
Changes since 1.120: +20 -6 lines
Diff to previous 1.120 (colored)
warn for unsupported config option. ok markus@
Revision 1.120 / (download) - annotate - [select for diffs], Thu May 15 04:08:44 2003 UTC (21 years ago) by jakob
Branch: MAIN
Changes since 1.119: +5 -1 lines
Diff to previous 1.119 (colored)
disable kerberos when not supported. ok markus@
Revision 1.119 / (download) - annotate - [select for diffs], Thu May 15 01:48:10 2003 UTC (21 years ago) by jakob
Branch: MAIN
Changes since 1.118: +5 -34 lines
Diff to previous 1.118 (colored)
always parse kerberos options. ok djm@ markus@
Revision 1.118 / (download) - annotate - [select for diffs], Wed Apr 9 08:23:52 2003 UTC (21 years, 1 month ago) by hin
Branch: MAIN
Changes since 1.117: +2 -2 lines
Diff to previous 1.117 (colored)
Don't include <krb.h> when compiling with Kerberos 5 support
Revision 1.117 / (download) - annotate - [select for diffs], Tue Apr 8 20:21:29 2003 UTC (21 years, 1 month ago) by itojun
Branch: MAIN
Changes since 1.116: +2 -2 lines
Diff to previous 1.116 (colored)
rename log() into logit() to avoid name conflict. markus ok, from netbsd
Revision 1.105.2.6 / (download) - annotate - [select for diffs], Thu Apr 3 22:35:17 2003 UTC (21 years, 1 month ago) by miod
Branch: OPENBSD_3_1
Changes since 1.105.2.5: +2 -1 lines
Diff to previous 1.105.2.5 (colored) to branchpoint 1.105 (colored) next main 1.106 (colored)
Merge OpenSSH 3.6.1
Revision 1.115.2.1 / (download) - annotate - [select for diffs], Tue Apr 1 00:12:14 2003 UTC (21 years, 1 month ago) by margarida
Branch: OPENBSD_3_2
Changes since 1.115: +2 -1 lines
Diff to previous 1.115 (colored)
Update to OpenSSH 3.6
Revision 1.116 / (download) - annotate - [select for diffs], Fri Feb 21 09:05:53 2003 UTC (21 years, 2 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE
Branch point for: OPENBSD_3_3
Changes since 1.115: +2 -1 lines
Diff to previous 1.115 (colored)
print sshd_config filename in debug2 mode.
Revision 1.89.2.7 / (download) - annotate - [select for diffs], Fri Oct 11 14:53:07 2002 UTC (21 years, 7 months ago) by miod
Branch: OPENBSD_3_0
Changes since 1.89.2.6: +11 -3 lines
Diff to previous 1.89.2.6 (colored) to branchpoint 1.89 (colored) next main 1.90 (colored)
Update to OpenSSH 3.5
Revision 1.105.2.5 / (download) - annotate - [select for diffs], Fri Oct 11 14:51:52 2002 UTC (21 years, 7 months ago) by miod
Branch: OPENBSD_3_1
Changes since 1.105.2.4: +11 -3 lines
Diff to previous 1.105.2.4 (colored) to branchpoint 1.105 (colored)
Update to OpenSSH 3.5
Revision 1.115 / (download) - annotate - [select for diffs], Wed Sep 4 18:52:42 2002 UTC (21 years, 8 months ago) by stevesk
Branch: MAIN
CVS Tags: OPENBSD_3_2_BASE
Branch point for: OPENBSD_3_2
Changes since 1.114: +2 -2 lines
Diff to previous 1.114 (colored)
default LoginGraceTime to 2m; 1m may be too short for slow systems. ok markus@
Revision 1.114 / (download) - annotate - [select for diffs], Wed Aug 21 19:38:06 2002 UTC (21 years, 9 months ago) by stevesk
Branch: MAIN
Changes since 1.113: +2 -2 lines
Diff to previous 1.113 (colored)
change LoginGraceTime default to 1 minute; ok mouring@ markus@
Revision 1.113 / (download) - annotate - [select for diffs], Tue Jul 30 17:03:55 2002 UTC (21 years, 9 months ago) by markus
Branch: MAIN
Changes since 1.112: +10 -2 lines
Diff to previous 1.112 (colored)
add PermitUserEnvironment (off by default!); from dot@dotat.at; ok provos, deraadt
Revision 1.89.2.6 / (download) - annotate - [select for diffs], Wed Jun 26 18:22:35 2002 UTC (21 years, 10 months ago) by miod
Branch: OPENBSD_3_0
Changes since 1.89.2.5: +11 -10 lines
Diff to previous 1.89.2.5 (colored) to branchpoint 1.89 (colored)
There was an update to OpenSSH 3.4, and people rejoiced.
Revision 1.105.2.4 / (download) - annotate - [select for diffs], Wed Jun 26 15:30:38 2002 UTC (21 years, 10 months ago) by jason
Branch: OPENBSD_3_1
Changes since 1.105.2.3: +20 -11 lines
Diff to previous 1.105.2.3 (colored) to branchpoint 1.105 (colored)
Pull in OpenSSH-3.4
Revision 1.112 / (download) - annotate - [select for diffs], Sun Jun 23 09:46:51 2002 UTC (21 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.111: +11 -10 lines
Diff to previous 1.111 (colored)
minor KNF. things the fingers do while you read
Revision 1.89.2.5 / (download) - annotate - [select for diffs], Sat Jun 22 07:23:17 2002 UTC (21 years, 11 months ago) by miod
Branch: OPENBSD_3_0
Changes since 1.89.2.4: +12 -4 lines
Diff to previous 1.89.2.4 (colored) to branchpoint 1.89 (colored)
Update OpenSSH to version 3.3 (with local changes, configuration files still living in /etc and privsep user being nobody).
Revision 1.105.2.3 / (download) - annotate - [select for diffs], Sat Jun 22 04:33:15 2002 UTC (21 years, 11 months ago) by jason
Branch: OPENBSD_3_1
Changes since 1.105.2.2: +3 -3 lines
Diff to previous 1.105.2.2 (colored) to branchpoint 1.105 (colored)
- create /var/empty directory before install - enable privsep by default
Revision 1.111 / (download) - annotate - [select for diffs], Thu Jun 20 23:05:55 2002 UTC (21 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.110: +10 -2 lines
Diff to previous 1.110 (colored)
allow Compression=yes/no in sshd_config
Revision 1.78.2.4 / (download) - annotate - [select for diffs], Sun Jun 2 22:56:10 2002 UTC (21 years, 11 months ago) by miod
Branch: OPENBSD_2_9
Changes since 1.78.2.3: +18 -3 lines
Diff to previous 1.78.2.3 (colored) to branchpoint 1.78 (colored) next main 1.79 (colored)
Upgrade to OpenSSH 3.2.3. Except for improbable compilation error fixes, this should be the last commit made to the 2.9-STABLE branche. Have fun upgrading.
Revision 1.105.2.2 / (download) - annotate - [select for diffs], Sat May 18 04:50:38 2002 UTC (22 years ago) by jason
Branch: OPENBSD_3_1
Changes since 1.105.2.1: +0 -0 lines
Diff to previous 1.105.2.1 (colored) to branchpoint 1.105 (colored)
Update to OpenSSH-3.2.3
Revision 1.105.2.1 / (download) - annotate - [select for diffs], Sat May 18 04:12:11 2002 UTC (22 years ago) by jason
Branch: OPENBSD_3_1
Changes since 1.105: +3 -3 lines
Diff to previous 1.105 (colored)
Update to OpenSSH-3.2.2
Revision 1.89.2.4 / (download) - annotate - [select for diffs], Fri May 17 00:03:24 2002 UTC (22 years ago) by miod
Branch: OPENBSD_3_0
Changes since 1.89.2.3: +18 -3 lines
Diff to previous 1.89.2.3 (colored) to branchpoint 1.89 (colored)
Update OpenSSH to version 3.2.2.
Revision 1.110 / (download) - annotate - [select for diffs], Wed May 15 21:56:38 2002 UTC (22 years ago) by markus
Branch: MAIN
Changes since 1.109: +3 -3 lines
Diff to previous 1.109 (colored)
re-enable privsep and disable setuid for post-3.2.2
Revision 1.109 / (download) - annotate - [select for diffs], Wed May 15 21:02:52 2002 UTC (22 years ago) by markus
Branch: MAIN
Changes since 1.108: +3 -3 lines
Diff to previous 1.108 (colored)
disable privsep and enable setuid for the 3.2.2 release
Revision 1.108 / (download) - annotate - [select for diffs], Sat May 4 02:39:35 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.107: +3 -3 lines
Diff to previous 1.107 (colored)
enable privsep by default; provos ok
Revision 1.107 / (download) - annotate - [select for diffs], Mon Apr 22 16:16:53 2002 UTC (22 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.106: +2 -2 lines
Diff to previous 1.106 (colored)
do not auto-enable KerberosAuthentication; ok djm@, provos@, deraadt@
Revision 1.106 / (download) - annotate - [select for diffs], Sat Apr 20 09:02:03 2002 UTC (22 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.105: +2 -2 lines
Diff to previous 1.105 (colored)
No, afs requires explicit enabling
Revision 1.105 / (download) - annotate - [select for diffs], Wed Mar 20 19:12:24 2002 UTC (22 years, 2 months ago) by stevesk
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE
Branch point for: OPENBSD_3_1
Changes since 1.104: +2 -19 lines
Diff to previous 1.104 (colored)
for unprivileged user, group do: pw=getpwnam(SSH_PRIVSEP_USER); do_setusercontext(pw). ok provos@
Revision 1.104 / (download) - annotate - [select for diffs], Tue Mar 19 03:03:43 2002 UTC (22 years, 2 months ago) by stevesk
Branch: MAIN
Changes since 1.103: +2 -10 lines
Diff to previous 1.103 (colored)
_PATH_PRIVSEP_CHROOT_DIR; ok provos@
Revision 1.103 / (download) - annotate - [select for diffs], Mon Mar 18 23:52:51 2002 UTC (22 years, 2 months ago) by stevesk
Branch: MAIN
Changes since 1.102: +3 -3 lines
Diff to previous 1.102 (colored)
UnprivUser/UnprivGroup usable now--specify numeric user/group; ok provos@
Revision 1.102 / (download) - annotate - [select for diffs], Mon Mar 18 17:50:31 2002 UTC (22 years, 2 months ago) by provos
Branch: MAIN
Changes since 1.101: +41 -1 lines
Diff to previous 1.101 (colored)
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
Revision 1.78.2.3 / (download) - annotate - [select for diffs], Sat Mar 9 00:20:44 2002 UTC (22 years, 2 months ago) by miod
Branch: OPENBSD_2_9
Changes since 1.78.2.2: +480 -457 lines
Diff to previous 1.78.2.2 (colored) to branchpoint 1.78 (colored)
Merge OpenSSH 3.1, keeping /etc as configuration files directory. (i.e. OpenSSH 3.1 + openbsd29_3.1.patch)
Revision 1.53.2.7 / (download) - annotate - [select for diffs], Fri Mar 8 17:04:43 2002 UTC (22 years, 2 months ago) by brad
Branch: OPENBSD_2_8
Changes since 1.53.2.6: +480 -457 lines
Diff to previous 1.53.2.6 (colored) to branchpoint 1.53 (colored) next main 1.54 (colored)
Merge OpenSSH 3.1.
Revision 1.89.2.3 / (download) - annotate - [select for diffs], Fri Mar 8 15:17:18 2002 UTC (22 years, 2 months ago) by brad
Branch: OPENBSD_3_0
Changes since 1.89.2.2: +2 -2 lines
Diff to previous 1.89.2.2 (colored) to branchpoint 1.89 (colored)
apply the necessary openbsd30_3.1.patch patch. -- Ok'd by markus@
Revision 1.89.2.2 / (download) - annotate - [select for diffs], Thu Mar 7 17:37:47 2002 UTC (22 years, 2 months ago) by jason
Branch: OPENBSD_3_0
Changes since 1.89.2.1: +480 -457 lines
Diff to previous 1.89.2.1 (colored) to branchpoint 1.89 (colored)
Update to OpenSSH-3.1 on 3.0-stable branch
Revision 1.101 / (download) - annotate - [select for diffs], Mon Feb 4 12:15:25 2002 UTC (22 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.100: +7 -7 lines
Diff to previous 1.100 (colored)
add SYSLOG_FACILITY_NOT_SET = -1, SYSLOG_LEVEL_NOT_SET = -1, fixes arm/netbsd; based on patch from bjh21@netbsd.org; ok djm@
Revision 1.100 / (download) - annotate - [select for diffs], Tue Jan 29 14:32:03 2002 UTC (22 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.99: +9 -8 lines
Diff to previous 1.99 (colored)
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
Revision 1.99 / (download) - annotate - [select for diffs], Sun Jan 27 14:57:46 2002 UTC (22 years, 3 months ago) by stevesk
Branch: MAIN
Changes since 1.98: +10 -2 lines
Diff to previous 1.98 (colored)
add X11UseLocalhost; ok markus@
Revision 1.98 / (download) - annotate - [select for diffs], Tue Jan 22 02:52:41 2002 UTC (22 years, 3 months ago) by stevesk
Branch: MAIN
Changes since 1.97: +2 -2 lines
Diff to previous 1.97 (colored)
typo in error message; from djast@cs.toronto.edu
Revision 1.97 / (download) - annotate - [select for diffs], Fri Jan 4 18:14:16 2002 UTC (22 years, 4 months ago) by stevesk
Branch: MAIN
Changes since 1.96: +9 -4 lines
Diff to previous 1.96 (colored)
protocol 2 HostKey code default is now /etc/ssh_host_rsa_key and /etc/ssh_host_dsa_key like we have in sshd_config. ok markus@
Revision 1.96 / (download) - annotate - [select for diffs], Fri Jan 4 17:59:17 2002 UTC (22 years, 4 months ago) by stevesk
Branch: MAIN
Changes since 1.95: +1 -3 lines
Diff to previous 1.95 (colored)
remove #ifdef _PATH_XAUTH/#endif; ok markus@
Revision 1.95 / (download) - annotate - [select for diffs], Wed Dec 19 07:18:56 2001 UTC (22 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.94: +10 -10 lines
Diff to previous 1.94 (colored)
basic KNF done while i was looking for something else
Revision 1.94 / (download) - annotate - [select for diffs], Thu Dec 6 13:30:05 2001 UTC (22 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.93: +449 -438 lines
Diff to previous 1.93 (colored)
add -o to sshd, too. ok deraadt@
Revision 1.93 / (download) - annotate - [select for diffs], Wed Dec 5 10:06:12 2001 UTC (22 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.92: +4 -4 lines
Diff to previous 1.92 (colored)
minor KNF
Revision 1.92 / (download) - annotate - [select for diffs], Sat Nov 17 19:14:34 2001 UTC (22 years, 6 months ago) by stevesk
Branch: MAIN
Changes since 1.91: +2 -2 lines
Diff to previous 1.91 (colored)
enum/int type cleanup where it made sense to do so; ok markus@
Revision 1.78.2.2 / (download) - annotate - [select for diffs], Thu Nov 15 22:51:15 2001 UTC (22 years, 6 months ago) by miod
Branch: OPENBSD_2_9
Changes since 1.78.2.1: +8 -3 lines
Diff to previous 1.78.2.1 (colored) to branchpoint 1.78 (colored)
Merge OpenSSH 3.0.1.
Revision 1.53.2.6 / (download) - annotate - [select for diffs], Thu Nov 15 22:50:30 2001 UTC (22 years, 6 months ago) by miod
Branch: OPENBSD_2_8
Changes since 1.53.2.5: +8 -3 lines
Diff to previous 1.53.2.5 (colored) to branchpoint 1.53 (colored)
Merge OpenSSH 3.0.1. This is likely to be the last commit to the 2.8-STABLE branch.
Revision 1.89.2.1 / (download) - annotate - [select for diffs], Wed Nov 14 03:24:39 2001 UTC (22 years, 6 months ago) by jason
Branch: OPENBSD_3_0
Changes since 1.89: +8 -3 lines
Diff to previous 1.89 (colored)
Pull in patches from current (Errata 002): Update to OpenSSH-3.0.1 via errata patch (Instead of using release tarball)
Revision 1.91 / (download) - annotate - [select for diffs], Mon Nov 12 18:17:07 2001 UTC (22 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.90: +1 -3 lines
Diff to previous 1.90 (colored)
enable authorized_keys2 again. tested by fries@
Revision 1.90 / (download) - annotate - [select for diffs], Sun Nov 11 13:02:31 2001 UTC (22 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.89: +10 -3 lines
Diff to previous 1.89 (colored)
make AuthorizedKeysFile2 fallback to AuthorizedKeysFile if AuthorizedKeysFile is specified.
Revision 1.78.2.1 / (download) - annotate - [select for diffs], Thu Sep 27 19:03:55 2001 UTC (22 years, 7 months ago) by jason
Branch: OPENBSD_2_9
Changes since 1.78: +94 -50 lines
Diff to previous 1.78 (colored)
Pull in OpenSSH-2.9.9
Revision 1.53.2.5 / (download) - annotate - [select for diffs], Thu Sep 27 00:15:42 2001 UTC (22 years, 7 months ago) by miod
Branch: OPENBSD_2_8
Changes since 1.53.2.4: +94 -50 lines
Diff to previous 1.53.2.4 (colored) to branchpoint 1.53 (colored)
Pull in OpenSSH 2.9.9 to the 2.8 branch.
Revision 1.89 / (download) - annotate - [select for diffs], Thu Aug 16 19:18:34 2001 UTC (22 years, 9 months ago) by jakob
Branch: MAIN
CVS Tags: OPENBSD_3_0_BASE
Branch point for: OPENBSD_3_0
Changes since 1.88: +12 -11 lines
Diff to previous 1.88 (colored)
deprecate CheckMail. ok markus@ ----------------------------------------------------------------------
Revision 1.88 / (download) - annotate - [select for diffs], Wed Jul 11 00:24:53 2001 UTC (22 years, 10 months ago) by itojun
Branch: MAIN
Changes since 1.87: +2 -2 lines
Diff to previous 1.87 (colored)
make it compilable in all 4 combination of KRB4/KRB5 settings. dugsong ok XXX isn't it sensitive to the order of -I/usr/include/kerberosIV and -I/usr/include/kerberosV?
Revision 1.87 / (download) - annotate - [select for diffs], Sun Jul 8 15:23:38 2001 UTC (22 years, 10 months ago) by stevesk
Branch: MAIN
Changes since 1.86: +11 -9 lines
Diff to previous 1.86 (colored)
fix ``MaxStartups max''; ok markus@
Revision 1.86 / (download) - annotate - [select for diffs], Tue Jun 26 17:41:49 2001 UTC (22 years, 10 months ago) by dugsong
Branch: MAIN
Changes since 1.85: +4 -1 lines
Diff to previous 1.85 (colored)
#include <kafs.h>
Revision 1.85 / (download) - annotate - [select for diffs], Tue Jun 26 16:15:24 2001 UTC (22 years, 10 months ago) by dugsong
Branch: MAIN
Changes since 1.84: +24 -19 lines
Diff to previous 1.84 (colored)
Kerberos v5 support for SSH1, mostly from Assar Westerlund <assar@freebsd.org> and Bjorn Gronvall <bg@sics.se>. markus@ ok
Revision 1.84 / (download) - annotate - [select for diffs], Sat Jun 23 15:12:19 2001 UTC (22 years, 10 months ago) by itojun
Branch: MAIN
Changes since 1.83: +5 -5 lines
Diff to previous 1.83 (colored)
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
Revision 1.83 / (download) - annotate - [select for diffs], Fri Jun 8 15:25:40 2001 UTC (22 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.82: +4 -4 lines
Diff to previous 1.82 (colored)
move the path for xauth to pathnames.h
Revision 1.82 / (download) - annotate - [select for diffs], Sun May 20 17:20:35 2001 UTC (23 years ago) by markus
Branch: MAIN
Changes since 1.81: +22 -2 lines
Diff to previous 1.81 (colored)
configurable authorized_keys{,2} location; originally from peter@; ok djm@
Revision 1.81 / (download) - annotate - [select for diffs], Sat May 19 19:43:57 2001 UTC (23 years ago) by stevesk
Branch: MAIN
Changes since 1.80: +17 -4 lines
Diff to previous 1.80 (colored)
sshd command-line arguments and configuration file options that
specify time may be expressed using a sequence of the form:
time[qualifier], where time is a positive integer value and qualifier
is one of the following:
<none>,s,m,h,d,w
Examples:
600 600 seconds (10 minutes)
10m 10 minutes
1h30m 1 hour 30 minutes (90 minutes)
ok markus@
Revision 1.80 / (download) - annotate - [select for diffs], Fri May 18 14:13:29 2001 UTC (23 years ago) by markus
Branch: MAIN
Changes since 1.79: +5 -5 lines
Diff to previous 1.79 (colored)
improved kbd-interactive support. work by per@appgate.com and me
Revision 1.53.2.4 / (download) - annotate - [select for diffs], Mon May 7 21:09:33 2001 UTC (23 years ago) by jason
Branch: OPENBSD_2_8
Changes since 1.53.2.3: +142 -84 lines
Diff to previous 1.53.2.3 (colored) to branchpoint 1.53 (colored)
Pull in OpenSSH-2.9 to 2.8 branch.
Revision 1.79 / (download) - annotate - [select for diffs], Thu May 3 21:43:01 2001 UTC (23 years ago) by stevesk
Branch: MAIN
Changes since 1.78: +2 -2 lines
Diff to previous 1.78 (colored)
remove "\n" from fatal()
Revision 1.78 / (download) - annotate - [select for diffs], Sun Apr 15 21:28:35 2001 UTC (23 years, 1 month ago) by stevesk
Branch: MAIN
CVS Tags: OPENBSD_2_9_BASE
Branch point for: OPENBSD_2_9
Changes since 1.77: +31 -50 lines
Diff to previous 1.77 (colored)
use fatal() or error() vs. fprintf(); ok markus@
Revision 1.77 / (download) - annotate - [select for diffs], Fri Apr 13 22:46:53 2001 UTC (23 years, 1 month ago) by beck
Branch: MAIN
Changes since 1.76: +17 -3 lines
Diff to previous 1.76 (colored)
Add options ClientAliveInterval and ClientAliveCountMax to sshd. This gives the ability to do a "keepalive" via the encrypted channel which can't be spoofed (unlike TCP keepalives). Useful for when you want to use ssh connections to authenticate people for something, and know relatively quickly when they are no longer authenticated. Disabled by default (of course). ok markus@
Revision 1.76 / (download) - annotate - [select for diffs], Thu Apr 12 20:09:37 2001 UTC (23 years, 1 month ago) by stevesk
Branch: MAIN
Changes since 1.75: +18 -14 lines
Diff to previous 1.75 (colored)
robust port validation; ok markus@ jakob@
Revision 1.75 / (download) - annotate - [select for diffs], Thu Apr 12 19:15:25 2001 UTC (23 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.74: +19 -2 lines
Diff to previous 1.74 (colored)
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
Revision 1.74 / (download) - annotate - [select for diffs], Fri Apr 6 22:25:25 2001 UTC (23 years, 1 month ago) by stevesk
Branch: MAIN
Changes since 1.73: +59 -25 lines
Diff to previous 1.73 (colored)
in addition to: ListenAddress host|ipv4_addr|ipv6_addr permit: ListenAddress [host|ipv4_addr|ipv6_addr]:port ListenAddress host|ipv4_addr:port sshd.8 updates coming. ok markus@
Revision 1.73 / (download) - annotate - [select for diffs], Mon Apr 2 14:20:23 2001 UTC (23 years, 1 month ago) by stevesk
Branch: MAIN
Changes since 1.72: +2 -3 lines
Diff to previous 1.72 (colored)
correct comment; ok markus@
Revision 1.72 / (download) - annotate - [select for diffs], Sun Mar 25 13:16:10 2001 UTC (23 years, 1 month ago) by stevesk
Branch: MAIN
Changes since 1.71: +11 -2 lines
Diff to previous 1.71 (colored)
PrintLastLog option; from chip@valinux.com with some minor changes by me. ok markus@
Revision 1.53.2.3 / (download) - annotate - [select for diffs], Wed Mar 21 19:46:28 2001 UTC (23 years, 2 months ago) by jason
Branch: OPENBSD_2_8
Changes since 1.53.2.2: +17 -22 lines
Diff to previous 1.53.2.2 (colored) to branchpoint 1.53 (colored)
Pull in OpenSSH-2.5.2 for 2.8 branch.
Revision 1.40.2.5 / (download) - annotate - [select for diffs], Wed Mar 21 18:53:00 2001 UTC (23 years, 2 months ago) by jason
Branch: OPENBSD_2_7
Changes since 1.40.2.4: +17 -22 lines
Diff to previous 1.40.2.4 (colored) to branchpoint 1.40 (colored) next main 1.41 (colored)
Pull in OpenSSH-2.5.2 for 2.7 branch.
Revision 1.40.2.4 / (download) - annotate - [select for diffs], Mon Mar 12 15:44:14 2001 UTC (23 years, 2 months ago) by jason
Branch: OPENBSD_2_7
Changes since 1.40.2.3: +105 -54 lines
Diff to previous 1.40.2.3 (colored) to branchpoint 1.40 (colored)
OpenSSH-2.5.1 for 2.7 patch branch
Revision 1.71 / (download) - annotate - [select for diffs], Mon Mar 5 15:44:51 2001 UTC (23 years, 2 months ago) by stevesk
Branch: MAIN
Changes since 1.70: +4 -3 lines
Diff to previous 1.70 (colored)
sync error message; ok markus@
Revision 1.70 / (download) - annotate - [select for diffs], Sun Mar 4 17:42:28 2001 UTC (23 years, 2 months ago) by millert
Branch: MAIN
Changes since 1.69: +11 -11 lines
Diff to previous 1.69 (colored)
log functions should not be passed strings that end in newline as they get passed on to syslog() and when logging to stderr, do_log() appends its own newline.
Revision 1.69 / (download) - annotate - [select for diffs], Sun Mar 4 11:16:06 2001 UTC (23 years, 2 months ago) by stevesk
Branch: MAIN
Changes since 1.68: +2 -9 lines
Diff to previous 1.68 (colored)
kill obsolete RandomSeed; ok markus@ deraadt@
Revision 1.68 / (download) - annotate - [select for diffs], Thu Feb 22 04:29:37 2001 UTC (23 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.67: +3 -2 lines
Diff to previous 1.67 (colored)
grammar; slade@shore.net
Revision 1.53.2.2 / (download) - annotate - [select for diffs], Mon Feb 19 17:19:18 2001 UTC (23 years, 3 months ago) by jason
Branch: OPENBSD_2_8
Changes since 1.53.2.1: +0 -0 lines
Diff to previous 1.53.2.1 (colored) to branchpoint 1.53 (colored)
Pull in OpenSSH-2.5.1
Revision 1.53.2.1 / (download) - annotate - [select for diffs], Fri Feb 16 20:13:12 2001 UTC (23 years, 3 months ago) by jason
Branch: OPENBSD_2_8
Changes since 1.53: +105 -54 lines
Diff to previous 1.53 (colored)
Pull in OpenSSH 2.5.0
Revision 1.67 / (download) - annotate - [select for diffs], Mon Feb 12 16:16:23 2001 UTC (23 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.66: +12 -9 lines
Diff to previous 1.66 (colored)
PermitRootLogin={yes,without-password,forced-commands-only,no}
(before this change, root could login even if PermitRootLogin==no)
Revision 1.66 / (download) - annotate - [select for diffs], Sun Feb 11 12:59:25 2001 UTC (23 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.65: +17 -2 lines
Diff to previous 1.65 (colored)
1) clean up the MAC support for SSH-2
2) allow you to specify the MAC with 'ssh -m'
3) or the 'MACs' keyword in ssh(d)_config
4) add hmac-{md5,sha1}-96
ok stevesk@, provos@
Revision 1.65 / (download) - annotate - [select for diffs], Sun Feb 4 15:32:24 2001 UTC (23 years, 3 months ago) by stevesk
Branch: MAIN
Changes since 1.64: +5 -5 lines
Diff to previous 1.64 (colored)
unexpand and remove end-of-line whitespace; ok markus@
Revision 1.64 / (download) - annotate - [select for diffs], Sat Feb 3 10:08:37 2001 UTC (23 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.63: +10 -2 lines
Diff to previous 1.63 (colored)
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
Revision 1.63 / (download) - annotate - [select for diffs], Mon Jan 22 23:06:39 2001 UTC (23 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.62: +9 -8 lines
Diff to previous 1.62 (colored)
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
Revision 1.62 / (download) - annotate - [select for diffs], Sun Jan 21 19:05:55 2001 UTC (23 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.61: +15 -2 lines
Diff to previous 1.61 (colored)
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
Revision 1.61 / (download) - annotate - [select for diffs], Sat Jan 20 23:00:56 2001 UTC (23 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.60: +2 -2 lines
Diff to previous 1.60 (colored)
Check for NULL return from strdelim; ok markus
Revision 1.60 / (download) - annotate - [select for diffs], Fri Jan 19 15:55:11 2001 UTC (23 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.59: +5 -4 lines
Diff to previous 1.59 (colored)
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
Revision 1.59 / (download) - annotate - [select for diffs], Fri Jan 19 12:45:26 2001 UTC (23 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.58: +1 -11 lines
Diff to previous 1.58 (colored)
only auth-chall.c needs #ifdef SKEY
Revision 1.58 / (download) - annotate - [select for diffs], Thu Jan 18 16:20:22 2001 UTC (23 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.57: +2 -2 lines
Diff to previous 1.57 (colored)
log() is at pri=LOG_INFO, since LOG_NOTICE goes to /dev/console on many systems
Revision 1.57 / (download) - annotate - [select for diffs], Mon Jan 8 22:29:05 2001 UTC (23 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.56: +8 -1 lines
Diff to previous 1.56 (colored)
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
Revision 1.56 / (download) - annotate - [select for diffs], Sun Jan 7 11:28:06 2001 UTC (23 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.55: +2 -2 lines
Diff to previous 1.55 (colored)
rename SYSLOG_LEVEL_INFO->SYSLOG_LEVEL_NOTICE syslog priority changes: fatal() LOG_ERR -> LOG_CRIT log() LOG_INFO -> LOG_NOTICE
Revision 1.55 / (download) - annotate - [select for diffs], Tue Dec 19 23:17:57 2000 UTC (23 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.54: +2 -2 lines
Diff to previous 1.54 (colored)
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
Revision 1.54 / (download) - annotate - [select for diffs], Sun Nov 12 19:50:38 2000 UTC (23 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.53: +35 -22 lines
Diff to previous 1.53 (colored)
add support for RSA to SSH2. please test. there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2. you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys. SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before. IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys. the option DSAAuthentication is replaced by PubkeyAuthetication.
Revision 1.40.2.3 / (download) - annotate - [select for diffs], Wed Nov 8 21:31:12 2000 UTC (23 years, 6 months ago) by jason
Branch: OPENBSD_2_7
Changes since 1.40.2.2: +25 -10 lines
Diff to previous 1.40.2.2 (colored) to branchpoint 1.40 (colored)
openssh-2.3.0 (again) for 2.7 branch
Revision 1.53 / (download) - annotate - [select for diffs], Sat Oct 14 12:12:09 2000 UTC (23 years, 7 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_2_8_BASE
Branch point for: OPENBSD_2_8
Changes since 1.52: +11 -2 lines
Diff to previous 1.52 (colored)
AllowTcpForwarding; from naddy@
Revision 1.52 / (download) - annotate - [select for diffs], Wed Oct 11 20:14:39 2000 UTC (23 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.51: +10 -2 lines
Diff to previous 1.51 (colored)
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
Revision 1.51 / (download) - annotate - [select for diffs], Thu Sep 7 20:27:53 2000 UTC (23 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.50: +6 -8 lines
Diff to previous 1.50 (colored)
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
Revision 1.40.2.2 / (download) - annotate - [select for diffs], Fri Sep 1 18:23:22 2000 UTC (23 years, 8 months ago) by jason
Branch: OPENBSD_2_7
Changes since 1.40.2.1: +117 -60 lines
Diff to previous 1.40.2.1 (colored) to branchpoint 1.40 (colored)
Pull in the rest of openssh-2.2.0 to 2.7 branch (luvin' cvs...)
Revision 1.50 / (download) - annotate - [select for diffs], Sat Jul 22 09:14:36 2000 UTC (23 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.49: +23 -1 lines
Diff to previous 1.49 (colored)
random early drop; ok theo, niels
Revision 1.49 / (download) - annotate - [select for diffs], Fri Jul 14 22:59:46 2000 UTC (23 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.48: +2 -2 lines
Diff to previous 1.48 (colored)
allow leading whitespace. ok niels
Revision 1.48 / (download) - annotate - [select for diffs], Thu Jul 13 22:53:21 2000 UTC (23 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.47: +25 -24 lines
Diff to previous 1.47 (colored)
allow multiple whitespace but only one '=' between tokens, bug report from Ralf S. Engelschall <rse@engelschall.com> but different fix. okay deraadt@
Revision 1.47 / (download) - annotate - [select for diffs], Mon Jul 10 16:30:25 2000 UTC (23 years, 10 months ago) by ho
Branch: MAIN
Changes since 1.46: +64 -63 lines
Diff to previous 1.46 (colored)
strtok() --> strsep(). (niels@ ok)
Revision 1.46 / (download) - annotate - [select for diffs], Mon Jun 26 21:59:18 2000 UTC (23 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.45: +10 -2 lines
Diff to previous 1.45 (colored)
MaxStartups: limit number of unauthenticated connections, work by theo and me
Revision 1.45 / (download) - annotate - [select for diffs], Tue Jun 20 01:39:44 2000 UTC (23 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.44: +1 -1 lines
Diff to previous 1.44 (colored)
OpenBSD tag
Revision 1.44 / (download) - annotate - [select for diffs], Sun Jun 18 00:57:48 2000 UTC (23 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.43: +2 -2 lines
Diff to previous 1.43 (colored)
include = in WHITESPACE; markus ok
Revision 1.43 / (download) - annotate - [select for diffs], Sat Jun 17 22:52:33 2000 UTC (23 years, 11 months ago) by jakob
Branch: MAIN
Changes since 1.42: +27 -2 lines
Diff to previous 1.42 (colored)
add support for ssh v2 subsystems. ok markus@.
Revision 1.40.2.1 / (download) - annotate - [select for diffs], Mon Jun 12 02:37:35 2000 UTC (23 years, 11 months ago) by jason
Branch: OPENBSD_2_7
Changes since 1.40: +18 -11 lines
Diff to previous 1.40 (colored)
lovin' CVS... update patch branch to OpenSSH-2.1.1
Revision 1.42 / (download) - annotate - [select for diffs], Wed May 31 06:36:40 2000 UTC (23 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.41: +14 -11 lines
Diff to previous 1.41 (colored)
xauth_location support; pr 1234
Revision 1.41 / (download) - annotate - [select for diffs], Mon May 22 18:42:01 2000 UTC (24 years ago) by markus
Branch: MAIN
Changes since 1.40: +5 -1 lines
Diff to previous 1.40 (colored)
check strtok() != NULL; ok niels@
Revision 1.40 / (download) - annotate - [select for diffs], Mon May 8 17:12:15 2000 UTC (24 years ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_2_7_BASE
Branch point for: OPENBSD_2_7
Changes since 1.39: +2 -2 lines
Diff to previous 1.39 (colored)
complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
Revision 1.39 / (download) - annotate - [select for diffs], Sat May 6 17:45:36 2000 UTC (24 years ago) by markus
Branch: MAIN
Changes since 1.38: +10 -2 lines
Diff to previous 1.38 (colored)
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
Revision 1.38 / (download) - annotate - [select for diffs], Wed May 3 18:03:06 2000 UTC (24 years ago) by markus
Branch: MAIN
Changes since 1.37: +11 -2 lines
Diff to previous 1.37 (colored)
GatewayPorts for sshd, ok deraadt@
Revision 1.37 / (download) - annotate - [select for diffs], Wed May 3 10:21:47 2000 UTC (24 years ago) by markus
Branch: MAIN
Changes since 1.36: +8 -8 lines
Diff to previous 1.36 (colored)
s/DsaKey/HostDSAKey/, document option
Revision 1.36 / (download) - annotate - [select for diffs], Mon May 1 18:50:58 2000 UTC (24 years ago) by markus
Branch: MAIN
Changes since 1.35: +19 -3 lines
Diff to previous 1.35 (colored)
PidFile, pr 1210
Revision 1.35 / (download) - annotate - [select for diffs], Wed Apr 26 22:43:15 2000 UTC (24 years ago) by markus
Branch: MAIN
Changes since 1.34: +2 -2 lines
Diff to previous 1.34 (colored)
ssh/sshd default to proto 1 and 2
Revision 1.34 / (download) - annotate - [select for diffs], Fri Apr 14 10:30:33 2000 UTC (24 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.33: +12 -12 lines
Diff to previous 1.33 (colored)
whitespace cleanup
Revision 1.33 / (download) - annotate - [select for diffs], Wed Apr 12 07:45:44 2000 UTC (24 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.32: +43 -24 lines
Diff to previous 1.32 (colored)
add Cipher and Protocol options to ssh/sshd, e.g.: ssh -o 'Protocol 1,2' if you prefer proto 1, ssh -o 'Ciphers arcfour,3des-cbc'
Revision 1.32 / (download) - annotate - [select for diffs], Thu Apr 6 08:55:22 2000 UTC (24 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.31: +9 -3 lines
Diff to previous 1.31 (colored)
ssh2 server side, see README.openssh2; enable with 'sshd -2'
Revision 1.31 / (download) - annotate - [select for diffs], Tue Mar 7 20:40:41 2000 UTC (24 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.30: +2 -2 lines
Diff to previous 1.30 (colored)
typo: ignore_user_known_hosts int->flag; naddy@mips.rhein-neckar.de
Revision 1.30 / (download) - annotate - [select for diffs], Thu Feb 24 18:22:16 2000 UTC (24 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.29: +6 -6 lines
Diff to previous 1.29 (colored)
sync with sshd_config
Revision 1.29 / (download) - annotate - [select for diffs], Tue Jan 4 00:07:59 2000 UTC (24 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.28: +64 -24 lines
Diff to previous 1.28 (colored)
ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and fujiwara@rcac.tdi.co.jp)
Revision 1.28 / (download) - annotate - [select for diffs], Wed Nov 24 20:19:37 1999 UTC (24 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.27: +2 -9 lines
Diff to previous 1.27 (colored)
strcasecmp instead of tolower
Revision 1.27 / (download) - annotate - [select for diffs], Wed Nov 24 19:53:50 1999 UTC (24 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.26: +5 -3 lines
Diff to previous 1.26 (colored)
KNF, final part 3
Revision 1.26 / (download) - annotate - [select for diffs], Wed Nov 24 00:26:03 1999 UTC (24 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.25: +12 -12 lines
Diff to previous 1.25 (colored)
much more KNF
Revision 1.25 / (download) - annotate - [select for diffs], Tue Nov 23 22:25:54 1999 UTC (24 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.24: +453 -474 lines
Diff to previous 1.24 (colored)
KNF part 1
Revision 1.24 / (download) - annotate - [select for diffs], Fri Nov 19 20:03:35 1999 UTC (24 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)
remove unused index (-Wall)
Revision 1.23 / (download) - annotate - [select for diffs], Fri Nov 19 16:04:17 1999 UTC (24 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.22: +15 -70 lines
Diff to previous 1.22 (colored)
bugfix: loglevels are per host in clientconfig, factor out common log-level parsing code.
Revision 1.22 / (download) - annotate - [select for diffs], Thu Nov 11 23:26:53 1999 UTC (24 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.21: +13 -3 lines
Diff to previous 1.21 (colored)
print _all_ bad options found in configfile
Revision 1.21 / (download) - annotate - [select for diffs], Thu Nov 11 22:58:38 1999 UTC (24 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.20: +12 -4 lines
Diff to previous 1.20 (colored)
IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok deraadt,millert
Revision 1.20 / (download) - annotate - [select for diffs], Wed Nov 10 23:36:44 1999 UTC (24 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.19: +43 -19 lines
Diff to previous 1.19 (colored)
add LogLevel {QUIET, FATAL, ERROR, INFO, CHAT, DEBUG} to ssh/sshd,
obsoletes QuietMode and FascistLogging in sshd.
Revision 1.19 / (download) - annotate - [select for diffs], Mon Oct 25 21:35:25 1999 UTC (24 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.18: +2 -2 lines
Diff to previous 1.18 (colored)
server-logs default to AUTH (consistence with sample sshd_config)
Revision 1.18 / (download) - annotate - [select for diffs], Sun Oct 17 23:09:16 1999 UTC (24 years, 7 months ago) by dugsong
Branch: MAIN
CVS Tags: OPENBSD_2_6_BASE,
OPENBSD_2_6
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)
default KerberosOrLocalPassword to 'yes'
Revision 1.17 / (download) - annotate - [select for diffs], Sun Oct 17 20:48:07 1999 UTC (24 years, 7 months ago) by dugsong
Branch: MAIN
Changes since 1.16: +3 -41 lines
Diff to previous 1.16 (colored)
remove AllowHosts, DenyHosts, SilentDeny server access control cruft - replace with LIBWRAP moved to child. ok markus@ deraat@
Revision 1.16 / (download) - annotate - [select for diffs], Thu Oct 14 20:17:24 1999 UTC (24 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored)
refuse to start if there is no configuration file for sshd. ok: deraadt
Revision 1.15 / (download) - annotate - [select for diffs], Thu Oct 14 19:56:02 1999 UTC (24 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.14: +27 -6 lines
Diff to previous 1.14 (colored)
PermitRootLogin={yes,no,without-password}, default=yes, ok deraadt,niels
Revision 1.14 / (download) - annotate - [select for diffs], Tue Oct 12 18:11:54 1999 UTC (24 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.13: +10 -2 lines
Diff to previous 1.13 (colored)
SilentDeny, don't log/answer refused connections, deraadt@
Revision 1.13 / (download) - annotate - [select for diffs], Mon Oct 11 21:48:29 1999 UTC (24 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.12: +63 -2 lines
Diff to previous 1.12 (colored)
Allow/Deny Users/Groups, from zzlevo@dd.chalmers.se, ok deraadt@
Revision 1.12 / (download) - annotate - [select for diffs], Mon Oct 11 21:07:37 1999 UTC (24 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.11: +11 -2 lines
Diff to previous 1.11 (colored)
UseLogin, default=no, from kpa@gmx.net, ok deraadt@
Revision 1.11 / (download) - annotate - [select for diffs], Thu Oct 7 22:46:32 1999 UTC (24 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.10: +10 -2 lines
Diff to previous 1.10 (colored)
You have Mail. Email fuer Dich. Karsten Patzwaldt <kpa@gmx.net> default=no
Revision 1.10 / (download) - annotate - [select for diffs], Thu Oct 7 21:45:02 1999 UTC (24 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.9: +21 -2 lines
Diff to previous 1.9 (colored)
add skey to sshd:
1) pass *pw to auth_password() not user_name, do_authentication already
keeps private copy of struct passwd for current user.
2) limit authentication attemps to 5, otherwise
ssh -o 'NumberOfPasswordPrompts 100000' host
lets you enter 100000 passwds
3) make s/key a run-time option in /etc/sshd_config
4) generate fake skeys,
for s/key for nonexisting users, too
limit auth-tries for nonexisting users, too.
Note that
% ssh -l nonexisting-user -o 'NumberOfPasswordPrompts 100000' host
has NO limits in ssh-1.2.27
Revision 1.9 / (download) - annotate - [select for diffs], Sat Oct 2 19:18:22 1999 UTC (24 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.8: +1 -2 lines
Diff to previous 1.8 (colored)
Wall
Revision 1.8 / (download) - annotate - [select for diffs], Fri Oct 1 22:23:48 1999 UTC (24 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)
randomseed is really gone now
Revision 1.7 / (download) - annotate - [select for diffs], Fri Oct 1 02:38:09 1999 UTC (24 years, 7 months ago) by provos
Branch: MAIN
Changes since 1.6: +5 -6 lines
Diff to previous 1.6 (colored)
get rid of references to randomseedfile we dont need it. for sshd just spit out a warning that the configuration option is obsolete.
Revision 1.6 / (download) - annotate - [select for diffs], Thu Sep 30 05:11:29 1999 UTC (24 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.5: +1 -5 lines
Diff to previous 1.5 (colored)
do not bother with dinosaur pacification
Revision 1.5 / (download) - annotate - [select for diffs], Wed Sep 29 22:08:13 1999 UTC (24 years, 7 months ago) by dugsong
Branch: MAIN
Changes since 1.4: +3 -3 lines
Diff to previous 1.4 (colored)
fix server krb4 option initialization
Revision 1.4 / (download) - annotate - [select for diffs], Wed Sep 29 18:16:20 1999 UTC (24 years, 7 months ago) by dugsong
Branch: MAIN
Changes since 1.3: +9 -31 lines
Diff to previous 1.3 (colored)
update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages
Revision 1.3 / (download) - annotate - [select for diffs], Wed Sep 29 00:10:16 1999 UTC (24 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)
GatewayPorts and ssh -g; markus.friedl@informatik.uni-erlangen.de
Revision 1.2 / (download) - annotate - [select for diffs], Tue Sep 28 07:56:47 1999 UTC (24 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.1: +10 -2 lines
Diff to previous 1.1 (colored)
X11DisplayOffset; aaron
Revision 1.1 / (download) - annotate - [select for diffs], Sun Sep 26 20:53:37 1999 UTC (24 years, 7 months ago) by deraadt
Branch: MAIN
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.