diff options
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 3743 |
1 files changed, 1779 insertions, 1964 deletions
diff --git a/ChangeLog b/ChangeLog index f283a8b3f455..bcaa38f94386 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,10 +1,1675 @@ -commit 9ca7e9c861775dd6c6312bc8aaab687403d24676 +commit 279261e1ea8150c7c64ab5fe7cb4a4ea17acbb29 Author: Damien Miller <djm@mindrot.org> -Date: Wed May 27 10:38:00 2020 +1000 +Date: Sun Sep 27 17:25:01 2020 +1000 + + update version numbers + +commit 58ca6ab6ff035ed12b5078e3e9c7199fe72c8587 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Sep 27 07:22:05 2020 +0000 + + upstream: openssh 8.4 + + OpenBSD-Commit-ID: a29e5b372d2c00e297da8a35a3b87c9beb3b4a58 + +commit 9bb8a303ce05ff13fb421de991b495930be103c3 +Author: Damien Miller <djm@mindrot.org> +Date: Tue Sep 22 10:07:43 2020 +1000 + + sync with upstream ssh-copy-id rev f0da1a1b7 + +commit 0a4a5571ada76b1b012bec9cf6ad1203fc19ec8d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Sep 21 07:29:09 2020 +0000 + + upstream: close stdin when forking after authentication too; ok markus + + OpenBSD-Commit-ID: 43db17e4abc3e6b4a7b033aa8cdab326a7cb6c24 + +commit d14fe25e6c3b89f8af17e2894046164ac3b45688 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Sep 20 23:31:46 2020 +0000 + + upstream: close stdout/stderr after "ssh -f ..." forking + + bz#3137, ok markus + + OpenBSD-Commit-ID: e2d83cc4dea1665651a7aa924ad1ed6bcaaab3e2 + +commit 53a33a0d745179c02108589e1722457ca8ae4372 +Author: Damien Miller <djm@mindrot.org> +Date: Sun Sep 20 15:57:09 2020 +1000 + + .depend + +commit 107eb3eeafcd390e1fa7cc7672a05e994d14013e +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Sep 20 05:47:25 2020 +0000 + + upstream: cap channel input buffer size at 16MB; avoids high memory use + + when peer advertises a large window but is slow to consume the data we send + (e.g. because of a slow network) + + reported by Pierre-Yves David + + fix with & ok markus@ + + OpenBSD-Commit-ID: 1452771f5e5e768876d3bfe2544e3866d6ade216 + +commit acfe2ac5fe033e227ad3a56624fbbe4af8b5da04 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Sep 18 22:02:53 2020 +1000 + + libfido2 1.5.0 is recommended + +commit 52a03e9fca2d74eef953ddd4709250f365ca3975 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Sep 18 08:16:38 2020 +0000 + + upstream: handle multiple messages in a single read() + + PR#183 by Dennis Kaarsemaker; feedback and ok markus@ + + OpenBSD-Commit-ID: 8570bb4d02d00cf70b98590716ea6a7d1cce68d1 + +commit dc098405b2939146e17567a25b08fc6122893cdf +Author: pedro martelletto <pedro@ambientworks.net> +Date: Fri Sep 18 08:57:29 2020 +0200 + + configure.ac: add missing includes + + when testing, make sure to include the relevant header files that + declare the types of the functions used by the test: + + - stdio.h for printf(); + - stdlib.h for exit(); + - string.h for strcmp(); + - unistd.h for unlink(), _exit(), fork(), getppid(), sleep(). + +commit b3855ff053f5078ec3d3c653cdaedefaa5fc362d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Sep 18 05:23:03 2020 +0000 + + upstream: tweak the client hostkey preference ordering algorithm to + + prefer the default ordering if the user has a key that matches the + best-preference default algorithm. + + feedback and ok markus@ + + OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f + +commit f93b187ab900c7d12875952cc63350fe4de8a0a8 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Sep 18 14:55:48 2020 +1000 + + control over the colours in gnome-ssh-askpass[23] + + Optionally set the textarea colours via $GNOME_SSH_ASKPASS_FG_COLOR and + $GNOME_SSH_ASKPASS_BG_COLOR. These accept the usual three or six digit + hex colours. + +commit 9d3d36bdb10b66abd1af42e8655502487b6ba1fa +Author: Damien Miller <djm@mindrot.org> +Date: Fri Sep 18 14:50:38 2020 +1000 + + focus improvement for gnome-ssh-askpass[23] + + When serving a SSH_ASKPASS_PROMPT=none information dialog, ensure + then <enter> doesn't immediately close the dialog. Instead, require an + explicit <tab> to reach the close button, or <esc>. + +commit d6f507f37e6c75a899db0ef8224e72797c5563b6 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Sep 16 03:07:31 2020 +0000 + + upstream: Remove unused buf, last user was removed when switching + + to the sshbuf API. Patch from Sebastian Andrzej Siewior. + + OpenBSD-Commit-ID: 250fa17f0cec01039cc4abd95917d9746e24c889 + +commit c3c786c3a0973331ee0922b2c51832a3b8d7f20f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Sep 9 21:57:27 2020 +0000 + + upstream: For the hostkey confirmation message: + + > Are you sure you want to continue connecting (yes/no/[fingerprint])? + + compare the fingerprint case sensitively; spotted Patrik Lundin + ok dtucker + + OpenBSD-Commit-ID: 73097afee1b3a5929324e345ba4a4a42347409f2 + +commit f2950baf0bafe6aa20dfe2e8d1ca4b23528df617 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Sep 11 14:45:23 2020 +1000 + + New config-build-time dependency on automake. + +commit 600c1c27abd496372bd0cf83d21a1c119dfdf9a5 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Sep 6 21:56:36 2020 +1000 + + Add aclocal.m4 and config.h.in~ to .gitignore. + + aclocal.m4 is now generated by autoreconf. + +commit 4bf7e1d00b1dcd3a6b3239f77465c019e61c6715 +Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +Date: Sat Sep 5 17:50:03 2020 +0200 + + Quote the definition of OSSH_CHECK_HEADER_FOR_FIELD + + autoreconf complains about underquoted definition of + OSSH_CHECK_HEADER_FOR_FIELD after aclocal.m4 has been and now is beeing + recreated. + + Quote OSSH_CHECK_HEADER_FOR_FIELD as suggested. + + Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> + +commit a2f3ae386b5f7938ed3c565ad71f30c4f7f010f1 +Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +Date: Sat Sep 5 17:50:02 2020 +0200 + + Move the local m4 macros + + The `aclocal' step is skipped during `autoreconf' because aclocal.m4 is + present. + Move the current aclocal.m4 which contains local macros into the m4/ + folder. With this change the aclocal.m4 will be re-created during + changes to the m4/ macro. + This is needed so the `aclocal' can fetch m4 macros from the system if + they are references in the configure script. This is a prerequisite to + use PKG_CHECK_MODULES. + + Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> + +commit 8372bff3a895b84fd78a81dc39da10928b662f5a +Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +Date: Sat Sep 5 17:50:01 2020 +0200 + + Remove HAVE_MMAP and BROKEN_MMAP + + BROKEN_MMAP is no longer defined since commit + 1cfd5c06efb12 ("Remove portability support for mmap") + + this commit also removed other HAVE_MMAP user. I didn't find anything + that defines HAVE_MMAP. The check does not trigger because compression + on server side is by default COMP_DELAYED (2) so it never triggers. + + Remove remaining HAVE_MMAP and BROKEN_MMAP bits. + + Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> + +commit bbf20ac8065905f9cb9aeb8f1df57fcab52ee2fb +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Sep 9 03:10:21 2020 +0000 + + upstream: adapt to SSH_SK_VERSION_MAJOR crank + + OpenBSD-Regress-ID: 0f3e76bdc8f9dbd9d22707c7bdd86051d5112ab8 + +commit 9afe2a150893b20bdf9eab764978d817b9a7b783 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Aug 28 03:17:13 2020 +0000 + + upstream: Ensure that address/mask mismatches are flagged at + + config-check time. ok djm@ + + OpenBSD-Regress-ID: 8f5f4c2c0bf00e6ceae7a1755a444666de0ea5c2 + +commit c76773524179cb654ff838dd43ba1ddb155bafaa +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Sep 9 03:08:01 2020 +0000 + + upstream: when writing an attestation blob for a FIDO key, record all + + the data needed to verify the attestation. Previously we were missing the + "authenticator data" that is included in the signature. + + spotted by Ian Haken + feedback Pedro Martelletto and Ian Haken; ok markus@ + + OpenBSD-Commit-ID: 8439896e63792b2db99c6065dd9a45eabbdb7e0a + +commit c1c44eeecddf093a7983bd91e70b446de789b363 +Author: pedro martelletto <pedro@ambientworks.net> +Date: Tue Sep 1 17:01:55 2020 +0200 + + configure.ac: fix libfido2 back-compat + + - HAVE_FIDO_CRED_PROD -> HAVE_FIDO_CRED_PROT; + - check for fido_dev_get_touch_begin(), so that + HAVE_FIDO_DEV_GET_TOUCH_BEGIN gets defined. + +commit 785f0f315bf7ac5909e988bb1ac3e019fb5e1594 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Aug 31 04:33:17 2020 +0000 + + upstream: refuse to add verify-required (PINful) FIDO keys to + + ssh-agent until the agent supports them properly + + OpenBSD-Commit-ID: 125bd55a8df32c87c3ec33c6ebe437673a3d037e + +commit 39e88aeff9c7cb6862b37ad1a87a03ebbb38c233 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Aug 31 00:17:41 2020 +0000 + + upstream: Add RCS IDs to the few files that are missing them; from + + Pedro Martelletto + + OpenBSD-Commit-ID: 39aa37a43d0c75ec87f1659f573d3b5867e4a3b3 + +commit 72730249b38a676da94a1366b54a6e96e6928bcb +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Aug 28 03:15:52 2020 +0000 + + upstream: Check that the addresses supplied to Match Address and + + Match LocalAddress are valid when parsing in config-test mode. This will + catch address/mask mismatches before they cause problems at runtime. Found by + Daniel Stocker, ok djm@ + + OpenBSD-Commit-ID: 2d0b10c69fad5d8fda4c703e7c6804935289378b + +commit 2a3a9822311a565a9df48ed3b6a3c972f462bd7d +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Thu Aug 27 12:34:00 2020 +0000 + + upstream: sentence fix; from pedro martelletto + + OpenBSD-Commit-ID: f95b84a1e94e9913173229f3787448eea2f8a575 + +commit ce178be0d954b210c958bc2b9e998cd6a7aa73a9 +Author: Damien Miller <djm@mindrot.org> +Date: Thu Aug 27 20:01:52 2020 +1000 + + tweak back-compat for older libfido2 + +commit d6f45cdde031acdf434bbb27235a1055621915f4 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Aug 27 09:46:04 2020 +0000 + + upstream: debug()-print a little info about FIDO-specific key + + fields via "ssh-keygen -vyf /path/key" + + OpenBSD-Commit-ID: cf315c4fe77db43947d111b00155165cb6b577cf + +commit b969072cc3d62d05cb41bc6d6f3c22c764ed932f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Aug 27 09:43:28 2020 +0000 + + upstream: skip a bit more FIDO token selection logic when only a + + single token is attached. + + with Pedro Martelletto + + OpenBSD-Commit-ID: e4a324bd9814227ec1faa8cb619580e661cca9ac + +commit 744df42a129d7d7db26947b7561be32edac89f88 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Thu Aug 27 06:15:22 2020 +0000 + + upstream: tweak previous; + + OpenBSD-Commit-ID: 92714b6531e244e4da401b2defaa376374e24be7 + +commit e32479645ce649b444ba5c6e7151304306a09654 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Aug 27 03:55:22 2020 +0000 + + upstream: adapt to API changes + + OpenBSD-Regress-ID: 5f147990cb67094fe554333782ab268a572bb2dd + +commit bbcc858ded3fbc46abfa7760e40389e3ca93884c +Author: Damien Miller <djm@mindrot.org> +Date: Thu Aug 27 12:37:12 2020 +1000 + + degrade semi-gracefully when libfido2 is too old + +commit 9cbbdc12cb6a2ab1e9ffe9974cca91d213c185c2 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Aug 27 01:15:36 2020 +0000 + + upstream: dummy firmware needs to match API version numner crank (for + + verify-required resident keys) even though it doesn't implement this feature + + OpenBSD-Regress-ID: 86579ea2891e18e822e204413d011b2ae0e59657 + +commit c1e76c64956b424ba260fd4eec9970e5b5859039 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Aug 27 02:11:09 2020 +0000 + + upstream: remove unreachable code I forgot to delete in r1.334 + + OpenBSD-Commit-ID: 9ed6078251a0959ee8deda443b9ae42484fd8b18 + +commit 0caff05350bd5fc635674c9e051a0322faba5ae3 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Aug 27 01:08:45 2020 +0000 + + upstream: Request PIN ahead of time for certain FIDO actions + + When we know that a particular action will require a PIN, such as + downloading resident keys or generating a verify-required key, request + the PIN before attempting it. + + joint work with Pedro Martelletto; ok markus@ + + OpenBSD-Commit-ID: 863182d38ef075bad1f7d20ca485752a05edb727 + +commit b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Aug 27 01:08:19 2020 +0000 + + upstream: preserve verify-required for resident FIDO keys + + When downloading a resident, verify-required key from a FIDO token, + preserve the verify-required in the private key that is written to + disk. Previously we weren't doing that because of lack of support + in the middleware API. + + from Pedro Martelletto; ok markus@ and myself + + OpenBSD-Commit-ID: 201c46ccdd227cddba3d64e1bdbd082afa956517 + +commit 642e06d0df983fa2af85126cf4b23440bb2985bf +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Aug 27 01:07:51 2020 +0000 + + upstream: major rework of FIDO token selection logic + + When PINs are in use and multiple FIDO tokens are attached to a host, we + cannot just blast requests at all attached tokens with the PIN specified + as this will cause the per-token PIN failure counter to increment. If + this retry counter hits the token's limit (usually 3 attempts), then the + token will lock itself and render all (web and SSH) of its keys invalid. + We don't want this. + + So this reworks the key selection logic for the specific case of + multiple keys being attached. When multiple keys are attached and the + operation requires a PIN, then the user must touch the key that they + wish to use first in order to identify it. + + This may require multiple touches, but only if there are multiple keys + attached AND (usually) the operation requires a PIN. The usual case of a + single key attached should be unaffected. + + Work by Pedro Martelletto; ok myself and markus@ + + OpenBSD-Commit-ID: 637d3049ced61b7a9ee796914bbc4843d999a864 + +commit 801c9f095e6d8b7b91aefd98f5001c652ea13488 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Aug 27 01:07:09 2020 +0000 + + upstream: support for requiring user verified FIDO keys in sshd + + This adds a "verify-required" authorized_keys flag and a corresponding + sshd_config option that tells sshd to require that FIDO keys verify the + user identity before completing the signing/authentication attempt. + Whether or not user verification was performed is already baked into the + signature made on the FIDO token, so this is just plumbing that flag + through and adding ways to require it. + + feedback and ok markus@ + + OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6 + +commit 9b8ad93824c682ce841f53f3b5762cef4e7cc4dc +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Aug 27 01:06:18 2020 +0000 + + upstream: support for user-verified FIDO keys + + FIDO2 supports a notion of "user verification" where the user is + required to demonstrate their identity to the token before particular + operations (e.g. signing). Typically this is done by authenticating + themselves using a PIN that has been set on the token. + + This adds support for generating and using user verified keys where + the verification happens via PIN (other options might be added in the + future, but none are in common use now). Practically, this adds + another key generation option "verify-required" that yields a key that + requires a PIN before each authentication. + + feedback markus@ and Pedro Martelletto; ok markus@ + + OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15 + +commit 1196d7f49d4fbc90f37e550de3056561613b0960 +Author: cheloha@openbsd.org <cheloha@openbsd.org> +Date: Wed Aug 12 01:23:45 2020 +0000 + + upstream: ssh-keyscan(1): simplify conloop() with timercmp(3), + + timersub(3); ok djm@ + + OpenBSD-Commit-ID: a102acb544f840d33ad73d40088adab4a687fa27 + +commit d0a195c89e26766d3eb8f3e4e2a00ebc98b57795 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Aug 11 09:49:57 2020 +0000 + + upstream: let ssh_config(5)'s AddKeysToAgent keyword accept a time + + limit for keys in addition to its current flag options. Time-limited keys + will automatically be removed from ssh-agent after their expiry time has + passed; ok markus@ + + OpenBSD-Commit-ID: 792e71cacbbc25faab5424cf80bee4a006119f94 + +commit e9c2002891a7b8e66f4140557a982978f372e5a3 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Aug 11 09:45:54 2020 +0000 + + upstream: let the "Confirm user presence for key ..." ssh-askpass + + notification respect $SSH_ASKPASS_REQUIRE; ok markus@ + + OpenBSD-Commit-ID: 7c1a616b348779bda3b9ad46bf592741f8e206c1 + +commit eaf8672b1b52db2815a229745f4e4b08681bed6d +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Aug 21 00:04:13 2020 +1000 + + Remove check for 'ent' command. + + It was added in 8d1fd57a9 for measuring entropy of ssh_prng_cmds which + has long since been removed and there are no other references to it. + +commit 05c215de8d224e094a872d97d45f37f60c06206b +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Aug 17 21:34:32 2020 +1000 + + Wrap stdint.h include in ifdef HAVE_STDINT_H. + +commit eaf2765efe8bc74feba85c34295d067637fc6635 +Author: Damien Miller <djm@mindrot.org> +Date: Mon Aug 10 13:24:09 2020 +1000 + + sync memmem.c with OpenBSD + +commit ed6bef77f5bb5b8f9ca2914478949e29f2f0a780 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Aug 7 17:12:16 2020 +1000 + + Always send any PAM account messages. + + If the PAM account stack reaturns any messages, send them to the user + not just if the check succeeds. bz#2049, ok djm@ + +commit a09e98dcae1e26f026029b7142b0e0d10130056f +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Aug 7 15:37:37 2020 +1000 + + Output test debug logs on failure. + +commit eb122b1eebe58b29a83a507ee814cbcf8aeded1b +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Aug 7 15:11:42 2020 +1000 + + Add ability to specify exact test target. + +commit c2ec7a07f8caabb4d8e00c66e7cd46bf2cd1e922 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Aug 7 14:21:15 2020 +1000 + + Document --without-openssl and --without-zlib. + +commit 651bb3a31949bbdc3a78b2ede95a77bce0c72984 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Aug 7 14:15:11 2020 +1000 + + Add without-openssl without-zlib test target. + +commit 9499f2bb01dc1032ae155999b2d7764b9491341f +Author: Stefan Schindler <dns2utf8@estada.ch> +Date: Wed Aug 5 19:00:52 2020 +0200 + + Add CI with prepare script + + * Only use heimdal kerberos implementation + * Fetch yubico/libfido2 (see: https://github.com/Yubico/libfido2) + * Add one target for + * all features + * each feature alone + * no features + +commit ea1f649046546a860f68b97ddc3015b7e44346ca +Author: Damien Miller <djm@mindrot.org> +Date: Wed Aug 5 08:58:57 2020 +1000 + + support NetBSD's utmpx.ut_ss address field + + bz#960, ok dtucker + +commit 32c63e75a70a0ed9d6887a55fcb0e4531a6ad617 +Author: Damien Miller <djm@mindrot.org> +Date: Tue Aug 4 14:59:21 2020 +1000 + + wrap a declaration in the same ifdefs as its use + + avoids warnings on NetBSD + +commit c9e3be9f4b41fda32a2a0138d54c7a6b563bc94d +Author: Damien Miller <djm@mindrot.org> +Date: Tue Aug 4 14:58:46 2020 +1000 + + undef TAILQ_CONCAT and friends + + Needed for NetBSD. etc that supply these macros + +commit 2d8a3b7e8b0408dfeb933ac5cfd3a58f5bac49af +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Aug 3 02:53:51 2020 +0000 + + upstream: ensure that certificate extensions are lexically sorted. + + Previously if the user specified a custom extension then the everything would + be in order except the custom ones. bz3198 ok dtucker markus + + OpenBSD-Commit-ID: d97deb90587b06cb227c66ffebb2d9667bf886f0 + +commit a8732d74cb8e72f0c6366015687f1e649f60be87 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Aug 3 02:43:41 2020 +0000 + + upstream: allow -A to explicitly enable agent forwarding in scp and + + sftp. The default remains to not forward an agent, even when ssh_config + enables it. ok jmc dtucker markus + + OpenBSD-Commit-ID: 36cc526aa3b0f94e4704b8d7b969dd63e8576822 + +commit ab9105470a83ed5d8197959a1b1f367399958ba1 +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Mon Aug 3 02:42:49 2020 +0000 + + upstream: clang -Wimplicit-fallthrough does not recognise /* + + FALLTHROUGH */ comments, which is the style we currently use, and gives too + many boring warnings. ok djm + + OpenBSD-Commit-ID: 07b5031e9f49f2b69ac5e85b8da4fc9e393992a0 + +commit ced327b9fb78c94d143879ef4b2a02cbc5d38690 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Jul 31 04:19:37 2020 +0000 + + upstream: Also compare username when checking for JumpHost loops. + + bz#3057, ok djm@ + + OpenBSD-Commit-ID: 9bbc1d138adb34c54f3c03a15a91f75dbf418782 + +commit ae7527010c44b3376b85d036a498f136597b2099 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Jul 31 15:19:04 2020 +1000 + + Remove AC_REVISION. + + It hasn't been useful since we switched to git in 2014. ok djm@ + +commit 89fc3f414be0ce4e8008332a9739a7d721269e50 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Jul 28 19:40:30 2020 +1000 + + Use argv in OSSH_CHECK_CFLAG_COMPILE test. + + configure.ac is not detecting -Wextra in compilers that implement the + option. The problem is that -Wextra implies -Wunused-parameter, and the + C excerpt used by aclocal.m4 does not use argv. Patch from pedro at + ambientworks.net, ok djm@ + +commit 62c81ef531b0cc7ff655455dd34f5f0c94f48e82 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Mon Jul 20 22:12:07 2020 +1000 + + Skip ECDSA-SK webauthn test when built w/out ECC + +commit 3ec9a6d7317236a9994887d8bd5d246af403a00d +Author: Damien Miller <djm@mindrot.org> +Date: Mon Jul 20 13:09:25 2020 +1000 + + Add ssh-sk-helper and manpage to RPM spec file + + Based on patch from Fabio Pedretti + +commit a2855c048b3f4b17d8787bd3f24232ec0cd79abe +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Jul 17 07:09:24 2020 +0000 + + upstream: Add %k to the TOKENs for Match Exec for consistency with + + the other keywords that recently got %k. + + OpenBSD-Commit-ID: 1857d1c40f270cbc254fca91e66110641dddcfdb + +commit 69860769fa9f4529d8612ec055ae11912f7344cf +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Fri Jul 17 05:59:05 2020 +0000 + + upstream: fix macro slip in previous; + + OpenBSD-Commit-ID: 624e47ab209450ad9ad5c69f54fa69244de5ed9a + +commit 40649bd0822883b684183854b16d0b8461d5697b +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Jul 17 07:10:24 2020 +0000 + + upstream: Add test for '%k' (HostKeyAlias) TOKEN. + + OpenBSD-Regress-ID: 8ed1ba1a811790031aad3fcea860a34ad7910456 + +commit 6736fe680704a3518cb4f3f8f6723b00433bd3dd +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Jul 17 03:26:58 2020 +0000 + + upstream: Add tests for expansions on UserKnownHostsFile. + + OpenBSD-Regress-ID: bccf8060306c841bbcceb1392644f906a4d6ca51 + +commit 287dc6396e0f9cb2393f901816dbd7f2a7dfbb5f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jul 17 03:51:32 2020 +0000 + + upstream: log error message for process_write() write failures + + OpenBSD-Commit-ID: f733d7b3b05e3c68967dc18dfe39b9e8fad29851 + +commit 8df5774a42d2eaffe057bd7f293fc6a4b1aa411c +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Jul 17 03:43:42 2020 +0000 + + upstream: Add a '%k' TOKEN that expands to the effective HostKey of + + the destination. This allows, eg, keeping host keys in individual files + using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654, ok djm@, jmc@ + (man page bits) + + OpenBSD-Commit-ID: 7084d723c9cc987a5c47194219efd099af5beadc + +commit c4f239944a4351810fd317edf408bdcd5c0102d9 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Jul 17 03:23:10 2020 +0000 + + upstream: Add %-TOKEN, environment variable and tilde expansion to + + UserKnownHostsFile, allowing the file to be automagically split up in the + configuration (eg bz#1654). ok djm@, man page parts jmc@ + + OpenBSD-Commit-ID: 7e1b406caf147638bb51558836a72d6cc0bd1b18 + +commit dbaaa01daedb423c38124a72c471982fb08a16fb +Author: solene@openbsd.org <solene@openbsd.org> +Date: Wed Jul 15 07:50:46 2020 +0000 + + upstream: - Add [-a rounds] in ssh-keygen man page and usage() - + + Reorder parameters list in the first usage() case - Sentence rewording + + ok dtucker@ + jmc@ noticed usage() missed -a flag too + + OpenBSD-Commit-ID: f06b9afe91cc96f260b929a56e9930caecbde246 + +commit 69924a92c3af7b99a7541aa544a2334ec0fb092c +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Wed Jul 15 05:40:05 2020 +0000 + + upstream: start sentence with capital letter; + + OpenBSD-Commit-ID: ab06581d51b2b4cc1b4aab781f7f3cfa56cad973 + +commit 5b56bd0affea7b02b540bdbc4d1d271b0e4fc885 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Jul 17 13:15:50 2020 +1000 + + detect Linux/X32 systems + + This is a frankenstein monster of AMD64 instructions/calling conventions + but with a 4GB address space. Allegedly deprecated but people still run + into it causing weird sandbox failures, e.g. bz#3085 + +commit 9c9ddc1391d6af8d09580a2424ab467d0a5df3c7 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Jul 15 06:43:16 2020 +0000 + + upstream: Fix previous by calling the correct function. + + OpenBSD-Regress-ID: 821cdd1dff9c502cceff4518b6afcb81767cad5a + +commit f1a4798941b4372bfe5e46f1c0f8672fe692d9e4 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Jul 15 05:36:50 2020 +0000 + + upstream: Update test to match recent change in match.c + + OpenBSD-Regress-ID: 965bda1f95f09a765050707340c73ad755f41167 + +commit d7e71be4fd57b7c7e620d733cdf2333b27bfa924 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Jul 15 15:30:43 2020 +1000 + + Adjust portable code to match changes in 939d787d, + +commit fec89f32a84fd0aa1afc81deec80a460cbaf451a +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Jul 15 04:27:34 2020 +0000 + + upstream: Add default for number of rounds (-a). ok djm@ + + OpenBSD-Commit-ID: cb7e9aa04ace01a98e63e4bd77f34a42ab169b15 + +commit aaa8b609a7b332be836cd9a3b782422254972777 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Jul 14 23:57:01 2020 +0000 + + upstream: allow some additional control over the use of ssh-askpass + + via $SSH_ASKPASS_REQUIRE, including force-enable/disable. bz#69 ok markus@ + + OpenBSD-Commit-ID: 3a1e6cbbf6241ddc4405c4246caa2c249f149eb2 + +commit 6368022cd4dd508671c4999a59ec5826df098530 +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Tue Jul 7 02:47:21 2020 +0000 + + upstream: correct recently broken comments + + OpenBSD-Commit-ID: 964d9a88f7de1d0eedd3f8070b43fb6e426351f1 + +commit 6d755706a0059eb9e2d63517f288b75cbc3b4701 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Jul 5 23:59:45 2020 +0000 + + upstream: some language improvements; ok markus + + OpenBSD-Commit-ID: 939d787d571b4d5da50b3b721fd0b2ac236acaa8 + +commit b0c1e8384d5e136ebdf895d1434aea7dd8661a1c +Author: markus@openbsd.org <markus@openbsd.org> +Date: Fri Jul 3 10:12:26 2020 +0000 + + upstream: update setproctitle after re-exec; ok djm + + OpenBSD-Commit-ID: bc92d122f9184ec2a9471ade754b80edd034ce8b + +commit cd119a5ec2bf0ed5df4daff3bd14f8f7566dafd3 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Fri Jul 3 10:11:33 2020 +0000 + + upstream: keep ignoring HUP after fork+exec; ok djm + + OpenBSD-Commit-ID: 7679985a84ee5ceb09839905bb6f3ddd568749a2 + +commit 8af4a743693ccbea3e15fc9e93edbeb610fa94f4 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Fri Jul 3 10:10:17 2020 +0000 + + upstream: don't exit the listener on send_rexec_state errors; ok + + djm + + OpenBSD-Commit-ID: 57cbd757d130d3f45b7d41310b3a15eeec137d5c + +commit 03da4c2b70468f04ed1c08518ea0a70e67232739 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Jul 15 04:55:47 2020 +0000 + + upstream: Use $OBJ to find key files. Fixes test when run on an obj + + directory (on OpenBSD) or out of tree (in Portable). + + OpenBSD-Regress-ID: 938fa8ac86adaa527d64a305bd2135cfbb1c0a17 + +commit 73f20f195ad18f1cf633eb7d8be95dc1b6111eea +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sat Jul 4 23:11:23 2020 +1000 + + Wrap stdint.h in ifdef HAVE_STDINT_H. + +commit aa6fa4bf3023fa0e5761cd8f4b2cd015d2de74dd +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jul 3 07:25:18 2020 +0000 + + upstream: put back the mux_ctx memleak fix, but only for channels of + + type SSH_CHANNEL_MUX_LISTENER; Specifically SSH_CHANNEL_MUX_PROXY channels + should not have this structure freed. + + OpenBSD-Commit-ID: f3b213ae60405f77439e2b06262f054760c9d325 + +commit d8195914eb43b20b13381f4e5a74f9f8a14f0ded +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jul 3 07:17:35 2020 +0000 + + upstream: revert r1.399 - the lifetime of c->mux_ctx is more complex; + + simply freeing it here causes other problems + + OpenBSD-Commit-ID: c6fee8ca94e2485faa783839541962be2834c5ed + +commit 20b5fab9f773b3d3c7f06cb15b8f69a2c081ee80 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jul 3 07:02:37 2020 +0000 + + upstream: avoid tilde_expand_filename() in expanding ~/.ssh/rc - if + + sshd is in chroot mode, the likely absence of a password database will cause + tilde_expand_filename() to fatal; ok dtucker@ + + OpenBSD-Commit-ID: e20aee6159e8b79190d18dba1513fc1b7c8b7ee1 + +commit c8935081db35d73ee6355999142fa0776a2af912 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jul 3 06:46:41 2020 +0000 + + upstream: when redirecting sshd's log output to a file, undo this + + redirection after the session child process is forked(); ok dtucker@ + + OpenBSD-Commit-ID: 6df86dd653c91f5bc8ac1916e7680d9d24690865 + +commit 183c4aaef944af3a1a909ffa01058c65bac55748 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jul 3 06:29:57 2020 +0000 + + upstream: start ClientAliveInterval bookkeeping before first pass + + through select() loop; fixed theoretical case where busy sshd may ignore + timeouts from client; inspired by and ok dtucker + + OpenBSD-Commit-ID: 96bfc4b1f86c7da313882a84755b2b47eb31957f + +commit 6fcfd303d67f16695198cf23d109a988e40eefb6 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Jul 3 15:28:27 2020 +1000 + + add check for fido_cred_set_prot() to configure + +commit f11b23346309e4d5138e733a49321aedd6eeaa2f +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Jul 3 05:09:06 2020 +0000 + + upstream: Only reset the serveralive check when we receive traffic from + + the server and ignore traffic from a port forwarding client, preventing a + client from keeping a connection alive when it should be terminated. Based + on a patch from jxraynor at gmail.com via openssh-unix-dev and bz#2265, ok + djm@ + + OpenBSD-Commit-ID: a941a575a5cbc244c0ef5d7abd0422bbf02c2dcd + +commit adfdbf1211914b631c038f0867a447db7b519937 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Jul 3 15:15:15 2020 +1000 + + sync sys-queue.h with OpenBSD upstream + + needed for TAILQ_CONCAT + +commit 1b90ddde49e2ff377204082b6eb130a096411dc1 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jul 3 05:08:41 2020 +0000 + + upstream: fix memory leak of mux_ctx; patch from Sergiy Lozovsky + + via bz3189 ok dtucker + + OpenBSD-Commit-ID: db249bd4526fd42d0f4f43f72f7b8b7705253bde + +commit 55ef3e9cbd5b336bd0f89205716924886fcf86de +Author: markus@openbsd.org <markus@openbsd.org> +Date: Wed Jul 1 16:28:31 2020 +0000 + + upstream: free kex in ssh_packet_close; ok djm semarie + + OpenBSD-Commit-ID: dbc181e90d3d32fd97b10d75e68e374270e070a2 + +commit e1c401109b61f7dbc199b5099933d579e7fc5dc9 +Author: bket@openbsd.org <bket@openbsd.org> +Date: Sat Jun 27 13:39:09 2020 +0000 + + upstream: Replace TAILQ concatenation loops with TAILQ_CONCAT + + OK djm@ + + OpenBSD-Commit-ID: 454b40e09a117ddb833794358970a65b14c431ef + +commit 14beca57ac92d62830c42444c26ba861812dc837 +Author: semarie@openbsd.org <semarie@openbsd.org> +Date: Fri Jun 26 11:26:01 2020 +0000 + + upstream: backout 1.293 fix kex mem-leak in ssh_packet_close at markus + + request + + the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after + calling ssh_packet_clear_keys()) + + OpenBSD-Commit-ID: 9c9a6721411461b0b1c28dc00930d7251a798484 + +commit 598c3a5e3885080ced0d7c40fde00f1d5cdbb32b +Author: Damien Miller <djm@mindrot.org> +Date: Fri Jun 26 16:07:12 2020 +1000 + + document a PAM spec problem in a frustrated comment + +commit 976c4f86286d52a0cb2aadf4a095d379c0da752e +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 26 05:42:16 2020 +0000 + + upstream: avoid spurious error message when ssh-keygen creates files + + outside ~/.ssh; with dtucker@ + + OpenBSD-Commit-ID: ac0c662d44607e00ec78c266ee60752beb1c7e08 + +commit 32b2502a9dfdfded1ccdc1fd6dc2b3fe41bfc205 +Author: Damien Miller <djm@mindrot.org> +Date: Fri Jun 26 15:30:06 2020 +1000 + + missing ifdef SELINUX; spotted by dtucker + +commit e073106f370cdd2679e41f6f55a37b491f0e82fe +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 26 05:12:21 2020 +0000 + + upstream: regress test for ssh-add -d; ok dtucker@ + + OpenBSD-Regress-ID: 3a2e044be616afc7dd4f56c100179e83b33d8abf + +commit c809daaa1bad6b1c305b0e0b5440360f32546c84 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Wed Jun 24 15:16:23 2020 +0000 + + upstream: add test for mux w/-Oproxy; ok djm + + OpenBSD-Regress-ID: 764d5c696e2a259f1316a056e225e50023abb027 + +commit 3d06ff4bbd3dca8054c238d2a94c0da563ef7eee +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 26 05:16:38 2020 +0000 + + upstream: handle EINTR in waitfd() and timeout_connect() helpers; + + bz#3071; ok dtucker@ + + OpenBSD-Commit-ID: 08fa87be50070bd8b754d9b1ebb1138d7bc9d8ee + +commit fe2ec0b9c19adeab0cd9f04b8152dc17f31c31e5 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 26 05:04:07 2020 +0000 + + upstream: allow "ssh-add -d -" to read keys to be deleted from + + stdin bz#3180; ok dtucker@ + + OpenBSD-Commit-ID: 15c7f10289511eb19fce7905c9cae8954e3857ff + +commit a3e0c376ffc11862fa3568b28188bd12965973e1 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 26 05:03:36 2020 +0000 + + upstream: constify a few things; ok dtucker (as part of another + + diff) + + OpenBSD-Commit-ID: 7c17fc987085994d752304bd20b1ae267a9bcdf6 + +commit 74344c3ca42c3f53b00b025daf09ae7f6aa38076 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Jun 26 05:02:03 2020 +0000 + + upstream: Defer creation of ~/.ssh by ssh(1) until we attempt to + + write to it so we don't leave an empty .ssh directory when it's not needed. + Use the same function to replace the code in ssh-keygen that does the same + thing. bz#3156, ok djm@ + + OpenBSD-Commit-ID: 59c073b569be1a60f4de36f491a4339bc4ae870f + +commit c9e24daac6324fcbdba171392c325bf9ccc3c768 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Jun 26 04:45:11 2020 +0000 + + upstream: Expand path to ~/.ssh/rc rather than relying on it + + being relative to the current directory, so that it'll still be found if the + shell startup changes its directory. Since the path is potentially longer, + make the cmd buffer that uses it dynamically sized. bz#3185, with & ok djm@ + + OpenBSD-Commit-ID: 36e33ff01497af3dc8226d0c4c1526fc3a1e46bf + +commit 07f5f369a25e228a7357ef6c57205f191f073d99 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Wed Jun 24 15:12:09 2020 +0000 + + upstream: fix kex mem-leak in ssh_packet_close; ok djm + + OpenBSD-Commit-ID: e2e9533f393620383afd0b68ef435de8d5e8abe4 + +commit e35995088cd6691a712bfd586bae8084a3a922ba +Author: markus@openbsd.org <markus@openbsd.org> +Date: Wed Jun 24 15:10:38 2020 +0000 + + upstream: fix ssh -O proxy w/mux which got broken by no longer + + making ssh->kex optional in packet.c revision 1.278 ok djm@ + + OpenBSD-Commit-ID: 2b65df04a064c2c6277359921d2320c90ab7d917 + +commit 250246fef22b87a54a63211c60a2def9be431fbd +Author: markus@openbsd.org <markus@openbsd.org> +Date: Wed Jun 24 15:09:53 2020 +0000 + + upstream: support loading big sshd_config files w/o realloc; ok + + djm + + OpenBSD-Commit-ID: ba9238e810074ac907f0cf8cee1737ac04983171 + +commit 89b54900ac61986760452f132bbe3fb7249cfdac +Author: markus@openbsd.org <markus@openbsd.org> +Date: Wed Jun 24 15:08:53 2020 +0000 + + upstream: allow sshd_config longer than 256k; ok djm + + OpenBSD-Commit-ID: 83f40dd5457a64c1d3928eb4364461b22766beb3 + +commit e3fa6249e6d9ceb57c14b04dd4c0cfab12fa7cd5 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Wed Jun 24 15:07:33 2020 +0000 + + upstream: only call sshkey_xmss_init() once for KEY_XMSS_CERT; ok + + djm + + OpenBSD-Commit-ID: d0002ffb7f20f538b014d1d0735facd5a81ff096 + +commit 37f2da069c0619f2947fb92785051d82882876d7 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jun 22 23:44:27 2020 +0000 + + upstream: some clarifying comments + + OpenBSD-Commit-ID: 5268479000fd97bfa30ab819f3517139daa054a2 + +commit b659319a5bc9e8adf3c4facc51f37b670d2a7426 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Mon Jun 22 06:37:38 2020 +0000 + + upstream: updated argument name for -P in first synopsis was + + missed in previous; + + OpenBSD-Commit-ID: 8d84dc3050469884ea91e29ee06a371713f2d0b7 + +commit 02a9222cbce7131d639984c2f6c71d1551fc3333 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Mon Jun 22 06:36:40 2020 +0000 + + upstream: supply word missing in previous; + + OpenBSD-Commit-ID: 16a38b049f216108f66c8b699aa046063381bd23 + +commit 5098b3b6230852a80ac6cef5d53a785c789a5a56 +Author: Damien Miller <djm@mindrot.org> +Date: Mon Jun 22 16:54:02 2020 +1000 + + missing files for webauthn/sshsig unit test + +commit 354535ff79380237924ac8fdc98f8cdf83e67da6 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jun 22 06:00:06 2020 +0000 + + upstream: add support for verification of webauthn sshsig signature, + + and example HTML/JS to generate webauthn signatures in SSH formats (also used + to generate the testdata/* for the test). + + OpenBSD-Regress-ID: dc575be5bb1796fdf4b8aaee0ef52a6671a0f6fb + +commit bb52e70fa5330070ec9a23069c311d9e277bbd6f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jun 22 05:58:35 2020 +0000 + + upstream: Add support for FIDO webauthn (verification only). + + webauthn is a standard for using FIDO keys in web browsers. webauthn + signatures are a slightly different format to plain FIDO signatures - this + support allows verification of these. Feedback and ok markus@ + + OpenBSD-Commit-ID: ab7e3a9fb5782d99d574f408614d833379e564ad + +commit 64bc121097f377142f1387ffb2df7592c49935af +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jun 22 05:56:23 2020 +0000 + + upstream: refactor ECDSA-SK verification a little ahead of adding + + support for FIDO webauthn signature verification support; ok markus@ + + OpenBSD-Commit-ID: c9f478fd8e0c1bd17e511ce8694f010d8e32043e + +commit 12848191f8fe725af4485d3600e0842d92f8637f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jun 22 05:54:10 2020 +0000 + + upstream: support for RFC4648 base64url encoding; ok markus + + OpenBSD-Commit-ID: 0ef22c55e772dda05c112c88412c0797fec66eb4 + +commit 473b4af43db12127137c7fc1a10928313f5a16d2 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jun 22 05:53:26 2020 +0000 + + upstream: better terminology for permissions; feedback & ok markus@ + + OpenBSD-Commit-ID: ff2a71803b5ea57b83cc3fa9b3be42b70e462fb9 + +commit fc270baf264248c3ee3050b13a6c8c0919e6559f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Jun 22 05:52:05 2020 +0000 + + upstream: better terminology for permissions; feedback & ok markus@ + + OpenBSD-Commit-ID: ffb220b435610741dcb4de0e7fc68cbbdc876d2c + +commit 00531bb42f1af17ddabea59c3d9c4b0629000d27 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Jun 19 07:21:42 2020 +0000 + + upstream: Correct synopsis and usage for the options accepted when + + passing a command to ssh-agent. ok jmc@ + + OpenBSD-Commit-ID: b36f0679cb0cac0e33b361051b3406ade82ea846 + +commit b4556c8ad7177e379f0b60305a0cd70f12180e7c +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Jun 19 19:22:00 2020 +1000 + + Add OPENBSD ORIGINAL marker to bcrypt_pbkdf. + +commit 1babb8bb14c423011ca34c2f563bb1c51c8fbf1d +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Jun 19 19:10:47 2020 +1000 + + Extra brackets around sizeof() in bcrypt. + + Prevents following warning from clang 10: + bcrypt_pbkdf.c:94:40: error: expression does not compute the number of + elements in this array; element type is ´uint32_tÂ[...] + place parentheses around the ´sizeof(uint64_t)´ expression to + silence this warning + +commit 9e065729592633290e5ddb6852792913b2286545 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Jun 19 18:47:56 2020 +1000 + + Add includes.h to new test. + + Fixes warnings eg "´bounded´ attribute directive ignor" from gcc. + +commit e684b1ea365e070433f282a3c1dabc3e2311ce49 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Jun 19 18:38:39 2020 +1000 + + Skip OpenSSL specific tests w/out OpenSSL. + + Allows unit tests to pass when configure'ed --without-openssl. + +commit 80610e97a76407ca982e62fd051c9be03622fe7b +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Jun 19 17:15:27 2020 +1000 + + Hook sshsig tests up to Portable Makefiles. + +commit 5dba1fcabacaab46693338ec829b42a1293d1f52 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Jun 19 05:07:09 2020 +0000 + + upstream: Test that ssh-agent exits when running as as subprocess + + of a specified command (ie "ssh-agent command"). Would have caught bz#3181. + + OpenBSD-Regress-ID: 895b4765ba5153eefaea3160a7fe08ac0b6db8b3 + +commit 68e8294f6b04f9590ea227e63d3e129398a49e27 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 19 04:34:21 2020 +0000 + + upstream: run sshsig unit tests + + OpenBSD-Regress-ID: 706ef17e2b545b64873626e0e35553da7c06052a + +commit 5edfa1690e9a75048971fd8775f7c16d153779db +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 19 04:32:09 2020 +0000 + + upstream: basic unit test for sshsig.[ch], including FIDO keys + + verification only so far + + OpenBSD-Regress-ID: fb1f946c8fc59206bc6a6666e577b5d5d7e45896 + +commit e95c0a0e964827722d29b4bc00d5c0ff4afe0ed2 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 19 03:48:49 2020 +0000 + + upstream: basic unit test for FIDO kep parsing + + OpenBSD-Regress-ID: 8089b88393dd916d7c95422b442a6fd4cfe00c82 + +commit 7775819c6de3e9547ac57b87c7dd2bfd28cefcc5 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jun 18 23:34:19 2020 +0000 + + upstream: check public host key matches private; ok markus@ (as + + part of previous diff) + + OpenBSD-Commit-ID: 65a4f66436028748b59fb88b264cb8c94ce2ba63 + +commit c514f3c0522855b4d548286eaa113e209051a6d2 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Jun 18 23:33:38 2020 +0000 + + upstream: avoid spurious "Unable to load host key" message when + + sshd can load a private key but no public counterpart; with & ok markus@ + + OpenBSD-Commit-ID: 0713cbdf9aa1ff8ac7b1f78b09ac911af510f81b + +commit 7fafaeb5da365f4a408fec355dac04a774f27193 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 12 05:26:37 2020 +0000 + + upstream: correct RFC number; from HARUYAMA Seigo via GH PR191 + + OpenBSD-Commit-ID: 8d03b6c96ca98bfbc23d3754c3c33e1fe0852e10 + +commit 3a7f654d5bcb20df24a134b6581b0d235da4564a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 5 06:18:07 2020 +0000 + + upstream: unbreak "sshd -ddd" - close of config passing fd happened too + + early. ok markus@ + + OpenBSD-Commit-ID: 49346e945c6447aca3e904e65fc400128d2f8ed0 + +commit 3de02be39e5c0c2208d9682a3844991651620fcc +Author: Andreas Schwab <schwab@suse.de> +Date: Mon May 25 11:10:44 2020 +0200 + + Add support for AUDIT_ARCH_RISCV64 + +commit ea547eb0329c2f8da77a4ac05f6c330bd49bdaab +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 5 03:25:35 2020 +0000 + + upstream: make sshbuf_putb(b, NULL) a no-op + + OpenBSD-Commit-ID: 976fdc99b500e347023d430df372f31c1dd128f7 + +commit 69796297c812640415c6cea074ea61afc899cbaa +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 5 03:24:36 2020 +0000 + + upstream: make sshbuf_dump() args const + + OpenBSD-Commit-ID: b4a5accae750875d665b862504169769bcf663bd + +commit 670428895739d1f79894bdb2457891c3afa60a59 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Jun 5 03:24:16 2020 +0000 + + upstream: wrap long line + + OpenBSD-Commit-ID: ed405a12bd27bdc9c52e169bc5ff3529b4ebbbb2 + +commit 2f648cf222882719040906722b3593b01df4ad1a +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Jun 5 03:15:26 2020 +0000 + + upstream: Correct historical comment: provos@ modified OpenSSH to + + work with SSLeay (very quickly replaced by OpenSSL) not SSL in general. ok + deraadt, historical context markus@ + + OpenBSD-Commit-ID: 7209e07a2984b50411ed8ca5a4932da5030d2b90 + +commit 56548e4efcc3e3e8093c2eba30c75b23e561b172 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Jun 3 08:23:18 2020 +0000 + + upstream: Import regenerated moduli file. + + OpenBSD-Commit-ID: 52ff0e3205036147b2499889353ac082e505ea54 + +commit 8da801f585dd9c534c0cbe487a3b1648036bf2fb +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Jun 5 13:20:10 2020 +1000 + + Test fallthrough in OSSH_CHECK_CFLAG_COMPILE. + + clang 10's -Wimplicit-fallthrough does not understand /* FALLTHROUGH */ + comments and we don't use the __attribute__((fallthrough)) that it's + looking for. This has the effect of turning off -Wimplicit-fallthrough + where it does not currently help (particularly with -Werror). ok djm@ + +commit 049297de975b92adcc2db77e3fb7046c0e3c695d +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Jun 3 08:23:18 2020 +0000 + + upstream: Import regenerated moduli file. + + OpenBSD-Commit-ID: 52ff0e3205036147b2499889353ac082e505ea54 + +commit b458423a38a3140ac022ffcffcb332609faccfe3 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Jun 1 07:11:38 2020 +0000 + + upstream: Remove now-unused proto_spec and associated definitions. + + ok djm@ + + OpenBSD-Commit-ID: 2e2b18e3aa6ee22a7b69c39f2d3bd679ec35c362 + +commit 5ad3c3a33ef038b55a14ebd31faeeec46073db2c +Author: millert@openbsd.org <millert@openbsd.org> +Date: Fri May 29 21:22:02 2020 +0000 + + upstream: Fix error message on close(2) and add printf format + + attributes. From Christos Zoulas, OK markus@ + + OpenBSD-Commit-ID: 41523c999a9e3561fcc7082fd38ea2e0629ee07e + +commit 712ac1efb687a945a89db6aa3e998c1a17b38653 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri May 29 11:17:56 2020 +0000 + + upstream: Make dollar_expand variadic and pass a real va_list to + + vdollar_percent_expand. Fixes build error on arm64 spotted by otto@. + + OpenBSD-Commit-ID: 181910d7ae489f40ad609b4cf4a20f3d068a7279 + +commit 837ffa9699a9cba47ae7921d2876afaccc027133 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri May 29 20:39:00 2020 +1000 + + Omit ToS setting if we don't have IPV6_TCLASS too. + + Fixes tests on old BSDs. + +commit f85b118d2150847cc333895296bc230e367be6b5 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri May 29 09:02:44 2020 +0000 + + upstream: Pass a NULL instead of zeroed out va_list from + + dollar_expand. The original intent was in case there's some platform where + va_list is not a pointer equivalent, but on i386 this chokes on the memset. + This unbreaks that build, but will require further consideration. + + OpenBSD-Commit-ID: 7b90afcd8e1137a1d863204060052aef415baaf7 + +commit ec1d50b01c84ff667240ed525f669454c4ebc8e9 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Fri May 29 05:48:39 2020 +0000 + + upstream: remove a stray .El; + + OpenBSD-Commit-ID: 58ddfe6f8a15fe10209db6664ecbe7896f1d167c + +commit 058674a62ffe33f01d871d46e624bc2a2c22d91f +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri May 29 04:32:26 2020 +0000 + + upstream: Add regression and unit tests for ${ENV} style + + environment variable expansion in various keywords (bz#3140). ok djm@ + + OpenBSD-Regress-ID: 4d9ceb95d89365b7b674bc26cf064c15a5bbb197 + +commit 0b15892fc47d6840eba1291a6be9be1a70bc8972 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri May 29 01:21:35 2020 +0000 + + upstream: Unit test for convtime. ok djm@ + + OpenBSD-Regress-ID: cec4239efa2fc4c7062064f07a847e1cbdbcd5dd + +commit 188e332d1c8f9f24e5b6659e9680bf083f837df9 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri May 29 05:37:03 2020 +0000 + + upstream: mention that wildcards are processed in lexical order; + + bz#3165 + + OpenBSD-Commit-ID: 8856f3d1612bd42e9ee606d89386cae456dd165c + +commit 4a1b46e6d032608b7ec00ae51c4e25b82f460b05 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri May 29 04:25:40 2020 +0000 + + upstream: Allow some keywords to expand shell-style ${ENV} + + environment variables on the client side. The supported keywords are + CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus + LocalForward and RemoteForward when used for Unix domain socket paths. This + would for example allow forwarding of Unix domain socket paths that change at + runtime. bz#3140, ok djm@ + + OpenBSD-Commit-ID: a4a2e801fc2d4df2fe0e58f50d9c81b03822dffa + +commit c9bab1d3a9e183cef3a3412f57880a0374cc8cb2 +Author: Damien Miller <djm@mindrot.org> +Date: Fri May 29 14:49:16 2020 +1000 depend -commit b6d251ed9af90e16c08a72c4aac2cb8ace8f94b1 +commit 0b0d219313bf9239ca043f20b1a095db0245588f +Author: sobrado <sobrado@openbsd.org> +Date: Thu Sep 3 23:06:28 2015 +0000 + + partial sync of regress/netcat.c with upstream + + synchronize synopsis and usage. + +commit 0f04c8467f589f85a523e19fd684c4f6c4ed9482 +Author: chl <chl@openbsd.org> +Date: Sun Jul 26 19:12:28 2015 +0000 + + partial sync of regress/netcat.c with upstream + + remove unused variable + + ok tedu@ + +commit d6a81050ace2630b06c3c6dd39bb4eef5d1043f8 +Author: tobias <tobias@openbsd.org> +Date: Thu Mar 26 21:22:50 2015 +0000 + + partial sync of regress/netcat.c with upstream + + The code in socks.c writes multiple times in a row to a socket. If the socket becomes invalid between these calls (e.g. connection closed), write will throw SIGPIPE. With this patch, SIGPIPE is ignored so we can handle write's -1 return value (errno will be EPIPE). Ultimately, it leads to program exit, too -- but with nicer error message. :) + + with input by and ok djm + +commit bf3893dddd35e16def04bf48ed2ee1ad695b8f82 +Author: tobias <tobias@openbsd.org> +Date: Thu Mar 26 10:36:03 2015 +0000 + + partial sync of regress/netcat.c with upstream + + Check for short writes in fdpass(). Clean up while at it. + + ok djm + +commit e18435fec124b4c08eb6bbbbee9693dc04f4befb +Author: jca <jca@openbsd.org> +Date: Sat Feb 14 22:40:22 2015 +0000 + + partial sync of regress/netcat.c with upstream + + Support for nc -T on IPv6 addresses. + + ok sthen@ + +commit 4c607244054a036ad3b2449a6cb4c15feb846a76 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri May 29 03:14:02 2020 +0000 + + upstream: fix compilation on !HAVE_DLOPEN platforms; stub function + + was not updated to match API change. From Dale Rahn via beck@ ok markus@ + + OpenBSD-Commit-ID: 2b8d054afe34c9ac85e417dae702ef981917b836 + +commit 224418cf55611869a4ace1b8b07bba0dff77a9c3 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri May 29 03:11:54 2020 +0000 + + upstream: fix exit status for downloading of FIDO resident keys; + + from Pedro Martelletto, ok markus@ + + OpenBSD-Commit-ID: 0da77dc24a1084798eedd83c39a002a9d231faef + +commit 1001dd148ed7c57bccf56afb40cb77482ea343a6 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri May 29 01:20:46 2020 +0000 + + upstream: Fix multiplier in convtime when handling seconds after + + other units. bz#3171, spotted by ronf at timeheart.net, ok djm@. + + OpenBSD-Commit-ID: 95b7a848e1083974a65fbb6ccb381d438e1dd5be + +commit 7af1e92cd289b7eaa9a683e9a6f2fddd98f37a01 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed May 27 22:37:53 2020 +0000 + + upstream: fix Include before Match in sshd_config; bz#3122 patch + + from Jakub Jelen + + OpenBSD-Commit-ID: 1b0aaf135fe6732b5d326946042665dd3beba5f4 + +commit 0a9a611619b0a1fecd0195ec86a9885f5d681c84 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed May 27 21:59:11 2020 +0000 + + upstream: Do not call process_queued_listen_addrs() for every + + included file from sshd_config; patch from Jakub Jelen + + OpenBSD-Commit-ID: 0ff603d6f06a7fab4881f12503b53024799d0a49 + +commit 16ea1fdbe736648f79a827219134331f8d9844fb +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed May 27 21:25:18 2020 +0000 + + upstream: fix crash in recallocarray when deleting SendEnv + + variables; spotted by & ok sthen@ + + OpenBSD-Commit-ID: b881e8e849edeec5082b5c0a87d8d7cff091a8fd + +commit 47adfdc07f4f8ea0064a1495500244de08d311ed +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed May 27 22:35:19 2020 +0000 + + upstream: two new tests for Include in sshd_config, checking whether + + Port directives are processed correctly and handling of Include directives + that appear before Match. Both tests currently fail. bz#3122 and bz#3169 - + patch from Jakub Jelen + + OpenBSD-Regress-ID: 8ad5a4a385a63f0a1c59c59c763ff029b45715df + +commit 47faad8f794516c33864d866aa1b55d88416f94c +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed May 27 23:26:23 2020 +1000 + + Document that libfido2 >= 1.4.0 is needed. + +commit 4be563994c0cbe9856e7dd3078909f41beae4a9c +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue May 26 01:59:46 2020 +0000 + + upstream: fix memleak of signature; from Pedro Martelletto + + OpenBSD-Commit-ID: d0a6eb07e77c001427d738b220dd024ddc64b2bb + +commit 0c111eb84efba7c2a38b2cc3278901a0123161b9 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue May 26 01:26:58 2020 +0000 + + upstream: Restrict ssh-agent from signing web challenges for FIDO + + keys. + + When signing messages in ssh-agent using a FIDO key that has an + application string that does not start with "ssh:", ensure that the + message being signed is one of the forms expected for the SSH protocol + (currently pubkey authentication and sshsig signatures). + + This prevents ssh-agent forwarding on a host that has FIDO keys + attached granting the ability for the remote side to sign challenges + for web authentication using those keys too. + + Note that the converse case of web browsers signing SSH challenges is + already precluded because no web RP can have the "ssh:" prefix in the + application string that we require. + + ok markus@ + + OpenBSD-Commit-ID: 9ab6012574ed0352d2f097d307f4a988222d1b19 + +commit 9c5f64b6cb3a68b99915202d318b842c6c76cf14 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue May 26 01:09:05 2020 +0000 + + upstream: improve logging for MaxStartups connection throttling: + + have sshd log when it starts and stops throttling and periodically while in + this state. bz#3055 ok markus@ + + OpenBSD-Commit-ID: 2e07a09a62ab45d790d3d2d714f8cc09a9ac7ab9 + +commit 756c6f66aee83a5862a6f936a316f761532f3320 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue May 26 01:06:52 2020 +0000 + + upstream: add fmt_timeframe() (from bgpd) to format a time + + interval in a human- friendly format. Switch copyright for this file from BSD + to MIT to make it easier to add Henning's copyright for this function. ok + markus@ + + OpenBSD-Commit-ID: 414a831c662df7e68893e5233e86f2cac081ccf9 + +commit 2a63ce5cd6d0e782783bf721462239b03757dd49 Author: djm@openbsd.org <djm@openbsd.org> Date: Mon May 18 04:29:35 2020 +0000 @@ -12,6 +1677,117 @@ Date: Mon May 18 04:29:35 2020 +0000 OpenBSD-Commit-ID: e6099c3fbb70aa67eb106e84d8b43f1fa919b721 +commit 4b307faf2fb0e63e51a550b37652f7f972df9676 +Author: markus@openbsd.org <markus@openbsd.org> +Date: Fri May 15 08:34:03 2020 +0000 + + upstream: sshd listener must not block if reexecd sshd exits + + in write(2) on config_s[0] if the forked child exits early before finishing + recv_rexec_state (e.g. with fatal()) because config_s[1] stays open in the + parent. this prevents the parent from accepting new connections. ok djm, + deraadt + + OpenBSD-Commit-ID: 92ccfeb939ccd55bda914dc3fe84582158c4a9ef + +commit af8b16fb2cce880341c0ee570ceb0d84104bdcc0 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri May 15 03:57:33 2020 +0000 + + upstream: fix off-by-one error that caused sftp downloads to make + + one more concurrent request that desired. This prevented using sftp(1) in + unpipelined request/response mode, which is useful when debugging. Patch from + Stephen Goetze in bz#3054 + + OpenBSD-Commit-ID: 41b394ebe57037dbc43bdd0eef21ff0511191f28 + +commit d7d753e2979f2d3c904b03a08d30856cd2a6e892 +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Wed May 13 22:38:41 2020 +0000 + + upstream: we are still aiming for pre-C99 ... + + OpenBSD-Commit-ID: a240fc9cbe60bc4e6c3d24d022eb4ab01fe1cb38 + +commit 2ad7b7e46408dbebf2a4efc4efd75a9544197d57 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed May 13 10:08:02 2020 +0000 + + upstream: Enable credProtect extension when generating a resident + + key. + + The FIDO 2.1 Client to Authenticator Protocol introduced a "credProtect" + feature to better protect resident keys. This option allows (amone other + possibilities) requiring a PIN prior to all operations that may retrieve + the key handle. + + Patch by Pedro Martelletto; ok djm and markus + + OpenBSD-Commit-ID: 013bc06a577dcaa66be3913b7f183eb8cad87e73 + +commit 1e70dc3285fc9b4f6454975acb81e8702c23dd89 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed May 13 09:57:17 2020 +0000 + + upstream: always call fido_init(); previous behaviour only called + + fido_init() when SK_DEBUG was defined. Harmless with current libfido2, but + this isn't guaranteed in the future. + + OpenBSD-Commit-ID: c7ea20ff2bcd98dd12015d748d3672d4f01f0864 + +commit f2d84f1b3fa68d77c99238d4c645d0266fae2a74 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed May 13 09:55:57 2020 +0000 + + upstream: preserve group/world read permission on known_hosts + + file across runs of "ssh-keygen -Rf /path". The old behaviour was to remove + all rights for group/other. bz#3146 ok dtucker@ + + OpenBSD-Commit-ID: dc369d0e0b5dd826430c63fd5f4b269953448a8a + +commit 05a651400da6fbe12296c34e3d3bcf09f034fbbf +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed May 13 09:52:41 2020 +0000 + + upstream: when ordering the hostkey algorithms to request from a + + server, prefer certificate types if the known_hosts files contain a key + marked as a @cert-authority; bz#3157 ok markus@ + + OpenBSD-Commit-ID: 8f194573e5bb7c01b69bbfaabc68f27c9fa5e0db + +commit 829451815ec207e14bd54ff5cf7e22046816f042 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue May 12 01:41:32 2020 +0000 + + upstream: fix non-ASCII quote that snuck in; spotted by Gabriel + + Kihlman + + OpenBSD-Commit-ID: 04bcde311de2325d9e45730c744c8de079b49800 + +commit 5a442cec92c0efd6fffb4af84bf99c70af248ef3 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon May 11 02:11:29 2020 +0000 + + upstream: clarify role of FIDO tokens in multi-factor + + authentictation; mostly from Pedro Martelletto + + OpenBSD-Commit-ID: fbe05685a1f99c74b1baca7130c5a03c2df7c0ac + +commit ecb2c02d994b3e21994f31a70ff911667c262f1f +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri May 8 05:13:14 2020 +0000 + + upstream: fix compilation with DEBUG_KEXDH; bz#3160 ok dtucker@ + + OpenBSD-Commit-ID: 832e771948fb45f2270e8b8895aac36d176ba17a + commit 3ab6fccc3935e9b778ff52f9c8d40f215d58e01d Author: Damien Miller <djm@mindrot.org> Date: Thu May 14 12:22:09 2020 +1000 @@ -10714,1964 +12490,3 @@ Date: Tue Oct 2 12:40:07 2018 +0000 ok markus@ dtucker@ OpenBSD-Commit-ID: 4bea826f575862eaac569c4bedd1056a268be1c3 - -commit dba50258333f2604a87848762af07ba2cc40407a -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 26 07:32:44 2018 +0000 - - upstream: remove big ugly TODO comment from start of file. Some of - - the mentioned tasks are obsolete and, of the remainder, most are already - captured in PROTOCOL.mux where they better belong - - OpenBSD-Commit-ID: 16d9d76dee42a5bb651c9d6740f7f0ef68aeb407 - -commit 92b61a38ee9b765f5049f03cd1143e13f3878905 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 26 07:30:05 2018 +0000 - - upstream: Document mux proxy mode; added by Markus in openssh-7.4 - - Also add a little bit of information about the overall packet format - - OpenBSD-Commit-ID: bdb6f6ea8580ef96792e270cae7857786ad84a95 - -commit 9d883a1ce4f89b175fd77405ff32674620703fb2 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 26 01:48:57 2018 +0000 - - upstream: s/process_mux_master/mux_master_process/ in mux master - - function names, - - Gives better symmetry with the existing mux_client_*() names and makes - it more obvious when a message comes from the master vs client (they - are interleved in ControlMaster=auto mode). - - no functional change beyond prefixing a could of log messages with - __func__ where they were previously lacking. - - OpenBSD-Commit-ID: b01f7c3fdf92692e1713a822a89dc499333daf75 - -commit c2fa53cd6462da82d3a851dc3a4a3f6b920337c8 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Sep 22 14:41:24 2018 +1000 - - Remove unused variable in _ssh_compat_fflush. - -commit d1b3540c21212624af907488960d703c7d987b42 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Thu Sep 20 18:08:43 2018 +1000 - - Import updated moduli. - -commit b5e412a8993ad17b9e1141c78408df15d3d987e1 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 21 12:46:22 2018 +0000 - - upstream: Allow ssh_config ForwardX11Timeout=0 to disable the - - timeout and allow X11 connections in untrusted mode indefinitely. ok dtucker@ - - OpenBSD-Commit-ID: ea1ceed3f540b48e5803f933e59a03b20db10c69 - -commit cb24d9fcc901429d77211f274031653476864ec6 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 21 12:23:17 2018 +0000 - - upstream: when compiled with GSSAPI support, cache supported method - - OIDs by calling ssh_gssapi_prepare_supported_oids() regardless of whether - GSSAPI authentication is enabled in the main config. - - This avoids sandbox violations for configurations that enable GSSAPI - auth later, e.g. - - Match user djm - GSSAPIAuthentication yes - - bz#2107; ok dtucker@ - - OpenBSD-Commit-ID: a5dd42d87c74e27cfb712b15b0f97ab20e0afd1d - -commit bbc8af72ba68da014d4de6e21a85eb5123384226 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 21 12:20:12 2018 +0000 - - upstream: In sshkey_in_file(), ignore keys that are considered for - - being too short (i.e. SSH_ERR_KEY_LENGTH). These keys will not be considered - to be "in the file". This allows key revocation lists to contain short keys - without the entire revocation list being considered invalid. - - bz#2897; ok dtucker - - OpenBSD-Commit-ID: d9f3d857d07194a42ad7e62889a74dc3f9d9924b - -commit 383a33d160cefbfd1b40fef81f72eadbf9303a66 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 21 03:11:36 2018 +0000 - - upstream: Treat connections with ProxyJump specified the same as ones - - with a ProxyCommand set with regards to hostname canonicalisation (i.e. don't - try to canonicalise the hostname unless CanonicalizeHostname is set to - 'always'). - - Patch from Sven Wegener via bz#2896 - - OpenBSD-Commit-ID: 527ff501cf98bf65fb4b29ed0cb847dda10f4d37 - -commit 0cbed248ed81584129b67c348dbb801660f25a6a -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Sep 20 23:40:16 2018 +0000 - - upstream: actually make CASignatureAlgorithms available as a config - - option - - OpenBSD-Commit-ID: 93fa7ff58314ed7b1ab7744090a6a91232e6ae52 - -commit 62528870c0ec48cd86a37dd7320fb85886c3e6ee -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Thu Sep 20 08:07:03 2018 +0000 - - upstream: Import updated moduli. - - OpenBSD-Commit-ID: 04431e8e7872f49a2129bf080a6b73c19d576d40 - -commit e6933a2ffa0659d57f3c7b7c457b2c62b2a84613 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Thu Sep 20 06:58:48 2018 +0000 - - upstream: reorder CASignatureAlgorithms, and add them to the - - various -o lists; ok djm - - OpenBSD-Commit-ID: ecb88baecc3c54988b4d1654446ea033da359288 - -commit aa083aa9624ea7b764d5a81c4c676719a1a3e42b -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Sep 20 03:31:49 2018 +0000 - - upstream: fix "ssh -Q sig" to show correct signature algorithm list - - (it was erroneously showing certificate algorithms); prompted by markus@ - - OpenBSD-Commit-ID: 1cdee002f2f0c21456979deeb887fc889afb154d - -commit ecac7e1f7add6b28874959a11f2238d149dc2c07 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Sep 20 03:30:44 2018 +0000 - - upstream: add CASignatureAlgorithms option for the client, allowing - - it to specify which signature algorithms may be used by CAs when signing - certificates. Useful if you want to ban RSA/SHA1; ok markus@ - - OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f - -commit 86e5737c39153af134158f24d0cab5827cbd5852 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Sep 20 03:28:06 2018 +0000 - - upstream: Add sshd_config CASignatureAlgorithms option to allow - - control over which signature algorithms a CA may use when signing - certificates. In particular, this allows a sshd to ban certificates signed - with RSA/SHA1. - - ok markus@ - - OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac - -commit f80e68ea7d62e2dfafc12f1a60ab544ae4033a0f -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 19 02:03:02 2018 +0000 - - upstream: Make "ssh-add -q" do what it says on the tin: silence - - output from successful operations. - - Based on patch from Thijs van Dijk; ok dtucker@ deraadt@ - - OpenBSD-Commit-ID: c4f754ecc055c10af166116ce7515104aa8522e1 - -commit 5e532320e9e51de720d5f3cc2596e95d29f6e98f -Author: millert@openbsd.org <millert@openbsd.org> -Date: Mon Sep 17 15:40:14 2018 +0000 - - upstream: When choosing a prime from the moduli file, avoid - - re-using the linenum variable for something that is not a line number to - avoid the confusion that resulted in the bug in rev. 1.64. This also lets us - pass the actual linenum to parse_prime() so the error messages include the - correct line number. OK markus@ some time ago. - - OpenBSD-Commit-ID: 4d8e5d3e924d6e8eb70053e3defa23c151a00084 - -commit cce8cbe0ed7d1ba3a575310e0b63c193326ae616 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Sep 15 19:44:06 2018 +1000 - - Fix openssl-1.1 fallout for --without-openssl. - - ok djm@ - -commit 149519b9f201dac755f3cba4789f4d76fecf0ee1 -Author: Damien Miller <djm@mindrot.org> -Date: Sat Sep 15 19:37:48 2018 +1000 - - add futex(2) syscall to seccomp sandbox - - Apparently needed for some glibc/openssl combinations. - - Patch from Arkadiusz Miśkiewicz - -commit 4488ae1a6940af704c4dbf70f55bf2f756a16536 -Author: Damien Miller <djm@mindrot.org> -Date: Sat Sep 15 19:36:55 2018 +1000 - - really add source for authopt_fuzz this time - -commit 9201784b4a257c8345fbd740bcbdd70054885707 -Author: Damien Miller <djm@mindrot.org> -Date: Sat Sep 15 19:35:40 2018 +1000 - - remove accidentally checked-in authopt_fuzz binary - -commit beb9e522dc7717df08179f9e59f36b361bfa14ab -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 14 05:26:27 2018 +0000 - - upstream: second try, deals properly with missing and private-only - - Use consistent format in debug log for keys readied, offered and - received during public key authentication. - - This makes it a little easier to see what is going on, as each message - now contains (where available) the key filename, its type and fingerprint, - and whether the key is hosted in an agent or a token. - - OpenBSD-Commit-ID: f1c6a8e9cfc4e108c359db77f24f9a40e1e25ea7 - -commit 6bc5a24ac867bfdc3ed615589d69ac640f51674b -Author: Damien Miller <djm@mindrot.org> -Date: Fri Sep 14 15:16:34 2018 +1000 - - fuzzer harness for authorized_keys option parsing - -commit 6c8b82fc6929b6a9a3f645151b6ec26c5507d9ef -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 14 04:44:04 2018 +0000 - - upstream: revert following; deals badly with agent keys - - revision 1.285 - date: 2018/09/14 04:17:12; author: djm; state: Exp; lines: +47 -26; commitid: lflGFcNb2X2HebaK; - Use consistent format in debug log for keys readied, offered and - received during public key authentication. - - This makes it a little easier to see what is going on, as each message - now contains the key filename, its type and fingerprint, and whether - the key is hosted in an agent or a token. - - OpenBSD-Commit-ID: e496bd004e452d4b051f33ed9ae6a54ab918f56d - -commit 6da046f9c3374ce7e269ded15d8ff8bc45017301 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 14 04:17:44 2018 +0000 - - upstream: garbage-collect moribund ssh_new_private() API. - - OpenBSD-Commit-ID: 7c05bf13b094093dfa01848a9306c82eb6e95f6c - -commit 1f24ac5fc05252ceb1c1d0e8cab6a283b883c780 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 14 04:17:12 2018 +0000 - - upstream: Use consistent format in debug log for keys readied, - - offered and received during public key authentication. - - This makes it a little easier to see what is going on, as each message - now contains the key filename, its type and fingerprint, and whether - the key is hosted in an agent or a token. - - OpenBSD-Commit-ID: 2a01d59285a8a7e01185bb0a43316084b4f06a1f - -commit 488c9325bb7233e975dbfbf89fa055edc3d3eddc -Author: millert@openbsd.org <millert@openbsd.org> -Date: Thu Sep 13 15:23:32 2018 +0000 - - upstream: Fix warnings caused by user_from_uid() and group_from_gid() - - now returning const char *. - - OpenBSD-Commit-ID: b5fe571ea77cfa7b9035062829ab05eb87d7cc6f - -commit 0aa1f230846ebce698e52051a107f3127024a05a -Author: Damien Miller <djm@mindrot.org> -Date: Fri Sep 14 10:31:47 2018 +1000 - - allow SIGUSR1 as synonym for SIGINFO - - Lets users on those unfortunate operating systems that lack SIGINFO - still be able to obtain progress information from unit tests :) - -commit d64e78526596f098096113fcf148216798c327ff -Author: Damien Miller <djm@mindrot.org> -Date: Thu Sep 13 19:05:48 2018 +1000 - - add compat header - -commit a3fd8074e2e2f06602e25618721f9556c731312c -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Sep 13 09:03:20 2018 +0000 - - upstream: missed a bit of openssl-1.0.x API in this unittest - - OpenBSD-Regress-ID: a73a54d7f7381856a3f3a2d25947bee7a9a5dbc9 - -commit 86e0a9f3d249d5580390daf58e015e68b01cef10 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Sep 13 05:06:51 2018 +0000 - - upstream: use only openssl-1.1.x API here too - - OpenBSD-Regress-ID: ae877064597c349954b1b443769723563cecbc8f - -commit 48f54b9d12c1c79fba333bc86d455d8f4cda8cfc -Author: Damien Miller <djm@mindrot.org> -Date: Thu Sep 13 12:13:50 2018 +1000 - - adapt -portable to OpenSSL 1.1x API - - Polyfill missing API with replacement functions extracted from LibreSSL - -commit 86112951d63d48839f035b5795be62635a463f99 -Author: Damien Miller <djm@mindrot.org> -Date: Thu Sep 13 12:12:42 2018 +1000 - - forgot to stage these test files in commit d70d061 - -commit 482d23bcacdd3664f21cc82a5135f66fc598275f -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Sep 13 02:08:33 2018 +0000 - - upstream: hold our collective noses and use the openssl-1.1.x API in - - OpenSSH; feedback and ok tb@ jsing@ markus@ - - OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417 - -commit d70d061828730a56636ab6f1f24fe4a8ccefcfc1 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 12 01:36:45 2018 +0000 - - upstream: Include certs with multiple RSA signature variants in - - test data Ensure that cert->signature_key is populated correctly - - OpenBSD-Regress-ID: 56e68f70fe46cb3a193ca207385bdb301fd6603a - -commit f803b2682992cfededd40c91818b653b5d923ef5 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 12 01:23:48 2018 +0000 - - upstream: test revocation by explicit hash and by fingerprint - - OpenBSD-Regress-ID: 079c18a9ab9663f4af419327c759fc1e2bc78fd8 - -commit 2de78bc7da70e1338b32feeefcc6045cf49efcd4 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 12 01:22:43 2018 +0000 - - upstream: s/sshkey_demote/sshkey_from_private/g - - OpenBSD-Regress-ID: 782bde7407d94a87aa8d1db7c23750e09d4443c4 - -commit 41c115a5ea1cb79a6a3182773c58a23f760e8076 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Sep 12 16:50:01 2018 +1000 - - delete the correct thing; kexfuzz binary - -commit f0fcd7e65087db8c2496f13ed39d772f8e38b088 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 12 06:18:59 2018 +0000 - - upstream: fix edit mistake; spotted by jmc@ - - OpenBSD-Commit-ID: dd724e1c52c9d6084f4cd260ec7e1b2b138261c6 - -commit 4cc259bac699f4d2a5c52b92230f9e488c88a223 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 12 01:34:02 2018 +0000 - - upstream: add SSH_ALLOWED_CA_SIGALGS - the default list of - - signature algorithms that are allowed for CA signatures. Notably excludes - ssh-dsa. - - ok markus@ - - OpenBSD-Commit-ID: 1628e4181dc8ab71909378eafe5d06159a22deb4 - -commit ba9e788315b1f6a350f910cb2a9e95b2ce584e89 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 12 01:32:54 2018 +0000 - - upstream: add sshkey_check_cert_sigtype() that checks a - - cert->signature_type against a supplied whitelist; ok markus - - OpenBSD-Commit-ID: caadb8073292ed7a9535e5adc067d11d356d9302 - -commit a70fd4ad7bd9f2ed223ff635a3d41e483057f23b -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 12 01:31:30 2018 +0000 - - upstream: add cert->signature_type field and keep it in sync with - - certificate signature wrt loading and certification operations; ok markus@ - - OpenBSD-Commit-ID: e8b8b9f76b66707a0cd926109c4383db8f664df3 - -commit 357128ac48630a9970e3af0e6ff820300a28da47 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 12 01:30:10 2018 +0000 - - upstream: Add "ssh -Q sig" to allow listing supported signature - - algorithms ok markus@ - - OpenBSD-Commit-ID: 7a8c6eb6c249dc37823ba5081fce64876d10fe2b - -commit 9405c6214f667be604a820c6823b27d0ea77937d -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 12 01:21:34 2018 +0000 - - upstream: allow key revocation by SHA256 hash and allow ssh-keygen - - to create KRLs using SHA256/base64 key fingerprints; ok markus@ - - OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94 - -commit 50e2687ee0941c0ea216d6ffea370ffd2c1f14b9 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Sep 12 01:19:12 2018 +0000 - - upstream: log certificate fingerprint in authentication - - success/failure message (previously we logged only key ID and CA key - fingerprint). - - ok markus@ - - OpenBSD-Commit-ID: a8ef2d172b7f1ddbcce26d6434b2de6d94f6c05d - -commit de37ca909487d23e5844aca289b3f5e75d3f1e1f -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Sep 7 04:26:56 2018 +0000 - - upstream: Add FALLTHROUGH comments where appropriate. Patch from - - jjelen at redhat via bz#2687. - - OpenBSD-Commit-ID: c48eb457be697a19d6d2950c6d0879f3ccc851d3 - -commit 247766cd3111d5d8c6ea39833a3257ca8fb820f2 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 7 01:42:54 2018 +0000 - - upstream: ssh -MM requires confirmation for all operations that - - change the multiplexing state, not just new sessions. - - mention that confirmation is checked via ssh-askpass - - OpenBSD-Commit-ID: 0f1b45551ebb9cc5c9a4fe54ad3b23ce90f1f5c2 - -commit db8bb80e3ac1bcb3e1305d846cd98c6b869bf03f -Author: mestre@openbsd.org <mestre@openbsd.org> -Date: Tue Aug 28 12:25:53 2018 +0000 - - upstream: fix misplaced parenthesis inside if-clause. it's harmless - - and the only issue is showing an unknown error (since it's not defined) - during fatal(), if it ever an error occurs inside that condition. - - OK deraadt@ markus@ djm@ - - OpenBSD-Commit-ID: acb0a8e6936bfbe590504752d01d1d251a7101d8 - -commit 086cc614f550b7d4f100c95e472a6b6b823938ab -Author: mestre@openbsd.org <mestre@openbsd.org> -Date: Tue Aug 28 12:17:45 2018 +0000 - - upstream: fix build with DEBUG_PK enabled - - OK dtucker@ - - OpenBSD-Commit-ID: ec1568cf27726e9638a0415481c20c406e7b441c - -commit 2678833013e97f8b18f09779b7f70bcbf5eb2ab2 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Sep 7 14:41:53 2018 +1000 - - Handle ngroups>_SC_NGROUPS_MAX. - - Based on github pull request #99 from Darren Maffat at Oracle: Solaris' - getgrouplist considers _SC_NGROUPS_MAX more of a guideline and can return - a larger number of groups. In this case, retry getgrouplist with a - larger array and defer allocating groups_byname. ok djm@ - -commit 039bf2a81797b8f3af6058d34005a4896a363221 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Sep 7 14:06:57 2018 +1000 - - Initial len for the fmt=NULL case. - - Patch from jjelen at redhat via bz#2687. (OpenSSH never calls - setproctitle with a null format so len is always initialized). - -commit ea9c06e11d2e8fb2f4d5e02f8a41e23d2bd31ca9 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Sep 7 14:01:39 2018 +1000 - - Include stdlib.h. - - Patch from jjelen at redhat via bz#2687. - -commit 9617816dbe73ec4d65075f4d897443f63a97c87f -Author: Damien Miller <djm@mindrot.org> -Date: Mon Aug 27 13:08:01 2018 +1000 - - document some more regress control env variables - - Specifically SKIP_UNIT, USE_VALGRING and LTESTS. Sort the list of - environment variables. - - Based on patch from Jakub Jelen - -commit 71508e06fab14bc415a79a08f5535ad7bffa93d9 -Author: Damien Miller <djm@mindrot.org> -Date: Thu Aug 23 15:41:42 2018 +1000 - - shorten temporary SSH_REGRESS_TMP path - - Previous path was exceeding max socket length on at least one platform (OSX) - -commit 26739cf5bdc9030a583b41ae5261dedd862060f0 -Author: Damien Miller <djm@mindrot.org> -Date: Thu Aug 23 13:06:02 2018 +1000 - - rebuild dependencies - -commit ff729025c7463cf5d0a8d1ca1823306e48c6d4cf -Author: Damien Miller <djm@mindrot.org> -Date: Thu Aug 23 13:03:32 2018 +1000 - - fix path in distclean target - - Patch from Jakub Jelen - -commit 7fef173c28f7462dcd8ee017fdf12b5073f54c02 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Aug 23 03:01:08 2018 +0000 - - upstream: memleak introduced in r1.83; from Colin Watson - - OpenBSD-Commit-ID: 5c019104c280cbd549a264a7217b67665e5732dc - -commit b8ae02a2896778b8984c7f51566c7f0f56fa8b56 -Author: schwarze@openbsd.org <schwarze@openbsd.org> -Date: Tue Aug 21 13:56:27 2018 +0000 - - upstream: AIX reports the CODESET as "ISO8859-1" in the POSIX locale. - - Treating that as a safe encoding is OK because even when other systems return - that string for real ISO8859-1, it is still safe in the sense that it is - ASCII-compatible and stateless. - - Issue reported by Val dot Baranov at duke dot edu. Additional - information provided by Michael dot Felt at felt dot demon dot nl. - Tested by Michael Felt on AIX 6.1 and by Val Baranov on AIX 7.1. - Tweak and OK djm@. - - OpenBSD-Commit-ID: 36f1210e0b229817d10eb490d6038f507b8256a7 - -commit bc44ee088ad269d232e514f037c87ada4c2fd3f0 -Author: Tim Rice <tim@multitalents.net> -Date: Tue Aug 21 08:57:24 2018 -0700 - - modified: openbsd-compat/port-uw.c - remove obsolete and un-needed include - -commit 829fc28a9c54e3f812ee7248c7a3e31eeb4f0b3a -Author: Damien Miller <djm@mindrot.org> -Date: Mon Aug 20 15:57:29 2018 +1000 - - Missing unistd.h for regress/mkdtemp.c - -commit c8313e492355a368a91799131520d92743d8d16c -Author: Damien Miller <djm@mindrot.org> -Date: Fri Aug 17 05:45:20 2018 +1000 - - update version numbers in anticipation of release - -commit 477b49a34b89f506f4794b35e3c70b3e2e83cd38 -Author: Corinna Vinschen <vinschen@redhat.com> -Date: Mon Aug 13 17:08:51 2018 +0200 - - configure: work around GCC shortcoming on Cygwin - - Cygwin's latest 7.x GCC allows to specify -mfunction-return=thunk - as well as -mindirect-branch=thunk on the command line, albeit - producing invalid code, leading to an error at link stage. - - The check in configure.ac only checks if the option is present, - but not if it produces valid code. - - This patch fixes it by special-casing Cygwin. Another solution - may be to change these to linker checks. - - Signed-off-by: Corinna Vinschen <vinschen@redhat.com> - -commit b0917945efa374be7648d67dbbaaff323ab39edc -Author: Corinna Vinschen <vinschen@redhat.com> -Date: Mon Aug 13 17:05:05 2018 +0200 - - cygwin: add missing stdarg.h include - - Further header file standarization in Cygwin uncovered a lazy - indirect include in bsd-cygwin_util.c - - Signed-off-by: Corinna Vinschen <vinschen@redhat.com> - -commit c3903c38b0fd168ab3d925c2b129d1a599593426 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Aug 13 02:41:05 2018 +0000 - - upstream: revert compat.[ch] section of the following change. It - - causes double-free under some circumstances. - - -- - - date: 2018/07/31 03:07:24; author: djm; state: Exp; lines: +33 -18; commitid: f7g4UI8eeOXReTPh; - fix some memory leaks spotted by Coverity via Jakub Jelen in bz#2366 - feedback and ok dtucker@ - - OpenBSD-Commit-ID: 1e77547f60fdb5e2ffe23e2e4733c54d8d2d1137 - -commit 1b9dd4aa15208100fbc3650f33ea052255578282 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Aug 12 20:19:13 2018 +0000 - - upstream: better diagnosics on alg list assembly errors; ok - - deraadt@ markus@ - - OpenBSD-Commit-ID: 5a557e74b839daf13cc105924d2af06a1560faee - -commit e36a5f61b0f5bebf6d49c215d228cd99dfe86e28 -Author: Damien Miller <djm@mindrot.org> -Date: Sat Aug 11 18:08:45 2018 -0700 - - Some AIX fixes; report from Michael Felt - -commit 2f4766ceefe6657c5ad5fe92d13c411872acae0e -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Aug 10 01:35:49 2018 +0000 - - upstream: The script that cooks up PuTTY format host keys does not - - understand the new key format so convert back to old format to create the - PuTTY key and remove it once done. - - OpenBSD-Regress-ID: 2a449a18846c3a144bc645135b551ba6177e38d3 - -commit e1b26ce504662a5d5b991091228984ccfd25f280 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Aug 10 00:44:01 2018 +0000 - - upstream: improve - - OpenBSD-Commit-ID: 40d839db0977b4e7ac8b647b16d5411d4faf2f60 - -commit 7c712966a3139622f7fb55045368d05de4e6782c -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Aug 10 00:42:29 2018 +0000 - - upstream: Describe pubkey format, prompted by bz#2853 - - While I'm here, describe and link to the remaining local PROTOCOL.* - docs that weren't already mentioned (PROTOCOL.key, PROTOCOL.krl and - PROTOCOL.mux) - - OpenBSD-Commit-ID: 2a900f9b994ba4d53e7aeb467d44d75829fd1231 - -commit ef100a2c5a8ed83afac0b8f36520815803da227a -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Aug 10 00:27:15 2018 +0000 - - upstream: fix numbering - - OpenBSD-Commit-ID: bc7a1764dff23fa4c5ff0e3379c9c4d5b63c9596 - -commit ed7bd5d93fe14c7bd90febd29b858ea985d14d45 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Aug 8 01:16:01 2018 +0000 - - upstream: Use new private key format by default. This format is - - suported by OpenSSH >= 6.5 (released January 2014), so it should be supported - by most OpenSSH versions in active use. - - It is possible to convert new-format private keys to the older - format using "ssh-keygen -f /path/key -pm PEM". - - ok deraadt dtucker - - OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8 - -commit 967226a1bdde59ea137e8f0df871854ff7b91366 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sat Aug 4 00:55:06 2018 +0000 - - upstream: invalidate dh->priv_key after freeing it in error path; - - avoids unlikely double-free later. Reported by Viktor Dukhovni via - https://github.com/openssh/openssh-portable/pull/96 feedback jsing@ tb@ - - OpenBSD-Commit-ID: e317eb17c3e05500ae851f279ef6486f0457c805 - -commit 74287f5df9966a0648b4a68417451dd18f079ab8 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jul 31 03:10:27 2018 +0000 - - upstream: delay bailout for invalid authentic - - =?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?= - =?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?= - =?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?= - MIME-Version: 1.0 - Content-Type: text/plain; charset=UTF-8 - Content-Transfer-Encoding: 8bit - - OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d - -commit 1a66079c0669813306cc69e5776a4acd9fb49015 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jul 31 03:07:24 2018 +0000 - - upstream: fix some memory leaks spotted by Coverity via Jakub Jelen - - in bz#2366 feedback and ok dtucker@ - - OpenBSD-Commit-ID: 8402bbae67d578bedbadb0ce68ff7c5a136ef563 - -commit 87f08be054b7eeadbb9cdeb3fb4872be79ccf218 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Jul 20 13:18:28 2018 +1000 - - Remove support for S/Key - - Most people will 1) be using modern multi-factor authentication methods - like TOTP/OATH etc and 2) be getting support for multi-factor - authentication via PAM or BSD Auth. - -commit 5d14019ba2ff54acbfd20a6b9b96bb860a8c7c31 -Author: markus@openbsd.org <markus@openbsd.org> -Date: Fri Jul 27 12:03:17 2018 +0000 - - upstream: avoid expensive channel_open_message() calls; ok djm@ - - OpenBSD-Commit-ID: aea3b5512ad681cd8710367d743e8a753d4425d9 - -commit e655ee04a3cb7999dbf9641b25192353e2b69418 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jul 27 05:34:42 2018 +0000 - - upstream: Now that ssh can't be setuid, remove the - - original_real_uid and original_effective_uid globals and replace with calls - to plain getuid(). ok djm@ - - OpenBSD-Commit-ID: 92561c0cd418d34e6841e20ba09160583e27b68c - -commit 73ddb25bae4c33a0db361ac13f2e3a60d7c6c4a5 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jul 27 05:13:02 2018 +0000 - - upstream: Remove uid checks from low port binds. Now that ssh - - cannot be setuid and sshd always has privsep on, we can remove the uid checks - for low port binds and just let the system do the check. We leave a sanity - check for the !privsep case so long as the code is stil there. with & ok - djm@ - - OpenBSD-Commit-ID: 9535cfdbd1cd54486fdbedfaee44ce4367ec7ca0 - -commit c12033e102760d043bc5c98e6c8180e4d331b0df -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jul 27 03:55:22 2018 +0000 - - upstream: ssh(1) no longer supports being setuid root. Remove reference - - to crc32 which went with protocol 1. Pointed out by deraadt@. - - OpenBSD-Commit-ID: f8763c25fd96ed91dd1abdab5667fd2e27e377b6 - -commit 4492e2ec4e1956a277ef507f51d66e5c2aafaaf8 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Jul 27 14:15:28 2018 +1000 - - correct snprintf truncation check in closefrom() - - Truncation cannot happen unless the system has set PATH_MAX to some - nonsensically low value. - - bz#2862, patch from Daniel Le - -commit 149cab325a8599a003364ed833f878449c15f259 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Jul 27 13:46:06 2018 +1000 - - Include stdarg.h in mkdtemp for va_list. - -commit 6728f31bdfdc864d192773c32465b1860e23f556 -Author: deraadt@openbsd.org <deraadt@openbsd.org> -Date: Wed Jul 25 17:12:35 2018 +0000 - - upstream: Don't redefine Makefile choices which come correct from - - bsd.*.mk ok markus - - OpenBSD-Commit-ID: 814b2f670df75759e1581ecef530980b2b3d7e0f - -commit 21fd477a855753c1a8e450963669e28e39c3b5d2 -Author: deraadt@openbsd.org <deraadt@openbsd.org> -Date: Wed Jul 25 13:56:23 2018 +0000 - - upstream: fix indent; Clemens Goessnitzer - - OpenBSD-Commit-ID: b5149a6d92b264d35f879d24608087b254857a83 - -commit 8e433c2083db8664c41499ee146448ea7ebe7dbf -Author: beck@openbsd.org <beck@openbsd.org> -Date: Wed Jul 25 13:10:56 2018 +0000 - - upstream: Use the caller provided (copied) pwent struct in - - load_public_identity_files instead of calling getpwuid() again and discarding - the argument. This prevents a client crash where tilde_expand_filename calls - getpwuid() again before the pwent pointer is used. Issue noticed and reported - by Pierre-Olivier Martel <pom@apple.com> ok djm@ deraadt@ - - OpenBSD-Commit-ID: a067d74b5b098763736c94cc1368de8ea3f0b157 - -commit e2127abb105ae72b6fda64fff150e6b24b3f1317 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Mon Jul 23 19:53:55 2018 +0000 - - upstream: oops, failed to notice that SEE ALSO got messed up; - - OpenBSD-Commit-ID: 61c1306542cefdc6e59ac331751afe961557427d - -commit ddf1b797c2d26bbbc9d410aa4f484cbe94673587 -Author: kn@openbsd.org <kn@openbsd.org> -Date: Mon Jul 23 19:02:49 2018 +0000 - - upstream: Point to glob in section 7 for the actual list of special - - characters instead the C API in section 3. - - OK millert jmc nicm, "the right idea" deraadt - - OpenBSD-Commit-ID: a74fd215488c382809e4d041613aeba4a4b1ffc6 - -commit 01c98d9661d0ed6156e8602b650f72eed9fc4d12 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Sun Jul 22 12:16:59 2018 +0000 - - upstream: Switch authorized_keys example from ssh-dss to ssh-rsa - - since the former is no longer enabled by default. Pointed out by Daniel A. - Maierhofer, ok jmc - - OpenBSD-Commit-ID: 6a196cef53d7524e0c9b58cdbc1b5609debaf8c7 - -commit 472269f8fe19343971c2d08f504ab5cbb8234b33 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jul 20 05:01:10 2018 +0000 - - upstream: slightly-clearer description for AuthenticationMethods - the - - lists have comma-separated elements; bz#2663 from Hans Meier - - OpenBSD-Commit-ID: 931c983d0fde4764d0942fb2c2b5017635993b5a - -commit c59aca8adbdf7f5597084ad360a19bedb3f80970 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Jul 20 14:53:42 2018 +1000 - - Create control sockets in clean temp directories - - Adds a regress/mkdtemp tool and uses it to create empty temp - directories for tests needing control sockets. - - Patch from Colin Watson via bz#2660; ok dtucker - -commit 6ad8648e83e4f4ace37b742a05c2a6b6b872514e -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jul 20 03:46:34 2018 +0000 - - upstream: remove unused zlib.h - - OpenBSD-Commit-ID: 8d274a9b467c7958df12668b49144056819f79f1 - -commit 3ba6e6883527fe517b6e4a824876e2fe62af22fc -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Thu Jul 19 23:03:16 2018 +0000 - - upstream: Fix typo in comment. From Alexandru Iacob via github. - - OpenBSD-Commit-ID: eff4ec07c6c8c5483533da43a4dda37d72ef7f1d - -commit c77bc73c91bc656e343a1961756e09dd1b170820 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Jul 20 13:48:51 2018 +1000 - - Explicitly include openssl before zlib. - - Some versions of OpenSSL have "free_func" in their headers, which zlib - typedefs. Including openssl after zlib (eg via sshkey.h) results in - "syntax error before `free_func'", which this fixes. - -commit 95d41e90eafcd1286a901e8e361e4a37b98aeb52 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Thu Jul 19 10:28:47 2018 +0000 - - upstream: Deprecate UsePrivilegedPort now that support for running - - ssh(1) setuid has been removed, remove supporting code and clean up - references to it in the man pages - - We have not shipped ssh(1) the setuid bit since 2002. If ayone - really needs to make connections from a low port number this can - be implemented via a small setuid ProxyCommand. - - ok markus@ jmc@ djm@ - - OpenBSD-Commit-ID: d03364610b7123ae4c6792f5274bd147b6de717e - -commit 258dc8bb07dfb35a46e52b0822a2c5b7027df60a -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Wed Jul 18 11:34:04 2018 +0000 - - upstream: Remove support for running ssh(1) setuid and fatal if - - attempted. Do not link uidwap.c into ssh any more. Neuters - UsePrivilegedPort, which will be marked as deprecated shortly. ok markus@ - djm@ - - OpenBSD-Commit-ID: c4ba5bf9c096f57a6ed15b713a1d7e9e2e373c42 - -commit ac590760b251506b0a152551abbf8e8d6dc2f527 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Jul 16 22:25:01 2018 +0000 - - upstream: Slot 0 in the hostbased key array was previously RSA1, - - but that is now gone and the slot is unused so remove it. Remove two - now-unused macros, and add an array bounds check to the two remaining ones - (array is statically sized, so mostly a safety check on future changes). ok - markus@ - - OpenBSD-Commit-ID: 2e4c0ca6cc1d8daeccead2aa56192a3f9d5e1e7a - -commit 26efc2f5df0e3bcf6a6bbdd0506fd682d60c2145 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Jul 16 11:05:41 2018 +0000 - - upstream: Remove support for loading HostBasedAuthentication keys - - directly in ssh(1) and always use ssh-keysign. This removes one of the few - remaining reasons why ssh(1) might be setuid. ok markus@ - - OpenBSD-Commit-ID: 97f01e1448707129a20d75f86bad5d27c3cf0b7d - -commit 3eb7f1038d17af7aea3c2c62d1e30cd545607640 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Jul 16 07:06:50 2018 +0000 - - upstream: keep options.identity_file_userprovided array in sync when we - - load keys, fixing some spurious error messages; ok markus - - OpenBSD-Commit-ID: c63e3d5200ee2cf9e35bda98de847302566c6a00 - -commit 2f131e1b34502aa19f345e89cabf6fa3fc097f09 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Jul 16 03:09:59 2018 +0000 - - upstream: memleak in unittest; found by valgrind - - OpenBSD-Regress-ID: 168c23b0fb09fc3d0b438628990d3fd9260a8a5e - -commit de2997a4cf22ca0a524f0e5b451693c583e2fd89 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Jul 16 03:09:13 2018 +0000 - - upstream: memleaks; found by valgrind - - OpenBSD-Commit-ID: 6c3ba22be53e753c899545f771e8399fc93cd844 - -commit 61cc0003eb37fa07603c969c12b7c795caa498f3 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Jul 14 16:49:01 2018 +1000 - - Undef a few new macros in sys-queue.h. - - Prevents macro redefinition warnings on OSX. - -commit 30a2c213877a54a44dfdffb6ca8db70be5b457e0 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Jul 13 13:40:20 2018 +1000 - - Include unistd.h for geteuid declaration. - -commit 1dd32c23f2a85714dfafe2a9cc516971d187caa4 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Jul 13 13:38:10 2018 +1000 - - Fallout from buffer conversion in AUDIT_EVENTS. - - Supply missing "int r" and fix error path for sshbuf_new(). - -commit 7449c178e943e5c4f6c8416a4e41d93b70c11c9e -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jul 13 02:13:50 2018 +0000 - - upstream: make this use ssh_proxy rather than starting/stopping a - - daemon for each testcase - - OpenBSD-Regress-ID: 608b7655ea65b1ba8fff5a13ce9caa60ef0c8166 - -commit dbab02f9208d9baa134cec1d007054ec82b96ca9 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jul 13 02:13:19 2018 +0000 - - upstream: fix leaks in unit test; with this, all unit tests are - - leak free (as far as valgrind can spot anyway) - - OpenBSD-Regress-ID: b824d8b27998365379963440e5d18b95ca03aa17 - -commit 2f6accff5085eb79b0dbe262d8b85ed017d1a51c -Author: Damien Miller <djm@mindrot.org> -Date: Fri Jul 13 11:39:25 2018 +1000 - - Enable leak checks for unit tests with valgrind - - Leave the leak checking on unconditionally when running with valgrind. - The unit tests are leak-free and I want them to stay that way. - -commit e46cfbd9db5e907b821bf4fd0184d4dab99815ee -Author: Damien Miller <djm@mindrot.org> -Date: Fri Jul 13 11:38:59 2018 +1000 - - increase timeout to match cfgmatch.sh - - lets test pass under valgrind (on my workstation at least) - -commit 6aa1bf475cf3e7a2149acc5a1e80e904749f064c -Author: Damien Miller <djm@mindrot.org> -Date: Thu Jul 12 14:54:18 2018 +1000 - - rm regress/misc/kexfuzz/*.o in distclean target - -commit eef1447ddb559c03725a23d4aa6d03f40e8b0049 -Author: Damien Miller <djm@mindrot.org> -Date: Thu Jul 12 14:49:26 2018 +1000 - - repair !WITH_OPENSSL build - -commit 4d3b2f36fd831941d1627ac587faae37b6d3570f -Author: Damien Miller <djm@mindrot.org> -Date: Thu Jul 12 14:49:14 2018 +1000 - - missing headers - -commit 3f420a692b293921216549c1099c2e46ff284eae -Author: Darren Tucker <dtucker@dtucker.net> -Date: Thu Jul 12 14:57:46 2018 +1000 - - Remove key.h from portable files too. - - Commit 5467fbcb removed key.h so stop including it in portable files - too. Fixes builds on lots of platforms. - -commit e2c4af311543093f16005c10044f7e06af0426f0 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Jul 12 04:35:25 2018 +0000 - - upstream: remove prototype to long-gone function - - OpenBSD-Commit-ID: 0414642ac7ce01d176b9f359091a66a8bbb640bd - -commit 394a842e60674bf8ee5130b9f15b01452a0b0285 -Author: markus@openbsd.org <markus@openbsd.org> -Date: Wed Jul 11 18:55:11 2018 +0000 - - upstream: treat ssh_packet_write_wait() errors as fatal; ok djm@ - - OpenBSD-Commit-ID: f88ba43c9d54ed2d911218aa8d3f6285430629c3 - -commit 5467fbcb09528ecdcb914f4f2452216c24796790 -Author: markus@openbsd.org <markus@openbsd.org> -Date: Wed Jul 11 18:53:29 2018 +0000 - - upstream: remove legacy key emulation layer; ok djm@ - - OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d - -commit 5dc4c59d5441a19c99e7945779f7ec9051126c25 -Author: martijn@openbsd.org <martijn@openbsd.org> -Date: Wed Jul 11 08:19:35 2018 +0000 - - upstream: s/wuth/with/ in comment - - OpenBSD-Commit-ID: 9de41468afd75f54a7f47809d2ad664aa577902c - -commit 1c688801e9dd7f9889fb2a29bc2b6fbfbc35a11f -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Jul 11 12:12:38 2018 +1000 - - Include stdlib.h for declaration of free. - - Fixes build with -Werror on at least Fedora and probably others. - -commit fccfa239def497615f92ed28acc57cfe63da3666 -Author: Damien Miller <djm@mindrot.org> -Date: Wed Jul 11 10:19:56 2018 +1000 - - VALGRIND_CHECK_LEAKS logic was backwards :( - -commit 416287d45fcde0a8e66eee8b99aa73bd58607588 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Jul 11 10:10:26 2018 +1000 - - Fix sshbuf_new error path in skey. - -commit 7aab109b8b90a353c1af780524f1ac0d3af47bab -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Jul 11 10:06:18 2018 +1000 - - Supply missing third arg in skey. - - During the change to the new buffer api the third arg to - sshbuf_get_cstring was ommitted. Fixes build when configured with skey. - -commit 380320bb72cc353a901790ab04b6287fd335dc4a -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Jul 11 10:03:34 2018 +1000 - - Supply some more missing "int r" in skey - -commit d20720d373d8563ee737d1a45dc5e0804d622dbc -Author: Damien Miller <djm@mindrot.org> -Date: Wed Jul 11 09:56:36 2018 +1000 - - disable valgrind memleak checking by default - - Add VALGRIND_CHECK_LEAKS knob to turn it back on. - -commit 79c9d35018f3a5e30ae437880b669aa8636cd3cd -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Jul 11 09:54:00 2018 +1000 - - Supply missing "int r" in skey code. - -commit 984bacfaacbbe31c35191b828fb5b5b2f0362c36 -Author: sf@openbsd.org <sf@openbsd.org> -Date: Tue Jul 10 09:36:58 2018 +0000 - - upstream: re-remove some pre-auth compression bits - - This time, make sure to not remove things that are necessary for - pre-auth compression on the client. Add a comment that pre-auth - compression is still supported in the client. - - ok markus@ - - OpenBSD-Commit-ID: 282c6fec7201f18a5c333bbb68d9339734d2f784 - -commit 120a1ec74e8d9d29f4eb9a27972ddd22351ddef9 -Author: Damien Miller <djm@mindrot.org> -Date: Tue Jul 10 19:39:52 2018 +1000 - - Adapt portable to legacy buffer API removal - -commit 0f3958c1e6ffb8ea4ba27e2a97a00326fce23246 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jul 10 09:13:30 2018 +0000 - - upstream: kerberos/gssapi fixes for buffer removal - - OpenBSD-Commit-ID: 1cdf56fec95801e4563c47f21696f04cd8b60c4c - -commit c74ae8e7c45f325f3387abd48fa7dfef07a08069 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jul 10 06:45:29 2018 +0000 - - upstream: buffer.[ch] and bufaux.c are no more - - OpenBSD-Commit-ID: d1a1852284e554f39525eb4d4891b207cfb3d3a0 - -commit a881e5a133d661eca923fb0633a03152ab2b70b2 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jul 10 06:43:52 2018 +0000 - - upstream: one mention of Buffer that almost got away :) - - OpenBSD-Commit-ID: 30d7c27a90b4544ad5dfacf654595710cd499f02 - -commit 49f47e656b60bcd1d1db98d88105295f4b4e600d -Author: markus@openbsd.org <markus@openbsd.org> -Date: Mon Jul 9 21:59:10 2018 +0000 - - upstream: replace cast with call to sshbuf_mutable_ptr(); ok djm@ - - OpenBSD-Commit-ID: 4dfe9d29fa93d9231645c89084f7217304f7ba29 - -commit cb30cd47041edb03476be1c8ef7bc1f4b69d1555 -Author: markus@openbsd.org <markus@openbsd.org> -Date: Mon Jul 9 21:56:06 2018 +0000 - - upstream: remove legacy buffer API emulation layer; ok djm@ - - OpenBSD-Commit-ID: 2dd5dc17cbc23195be4299fa93be2707a0e08ad9 - -commit 235c7c4e3bf046982c2d8242f30aacffa01073d1 -Author: markus@openbsd.org <markus@openbsd.org> -Date: Mon Jul 9 21:53:45 2018 +0000 - - upstream: sshd: switch monitor to sshbuf API; lots of help & ok - - djm@ - - OpenBSD-Commit-ID: d89bd02d33974fd35ca0b8940d88572227b34a48 - -commit b8d9214d969775e409e1408ecdf0d58fad99b344 -Author: markus@openbsd.org <markus@openbsd.org> -Date: Mon Jul 9 21:37:55 2018 +0000 - - upstream: sshd: switch GSSAPI to sshbuf API; ok djm@ - - OpenBSD-Commit-ID: e48449ab4be3f006f7ba33c66241b7d652973e30 - -commit c7d39ac8dc3587c5f05bdd5bcd098eb5c201c0c8 -Author: markus@openbsd.org <markus@openbsd.org> -Date: Mon Jul 9 21:35:50 2018 +0000 - - upstream: sshd: switch authentication to sshbuf API; ok djm@ - - OpenBSD-Commit-ID: 880aa06bce4b140781e836bb56bec34873290641 - -commit c3cb7790e9efb14ba74b2d9f543ad593b3d55b31 -Author: markus@openbsd.org <markus@openbsd.org> -Date: Mon Jul 9 21:29:36 2018 +0000 - - upstream: sshd: switch config to sshbuf API; ok djm@ - - OpenBSD-Commit-ID: 72b02017bac7feac48c9dceff8355056bea300bd - -commit 2808d18ca47ad3d251836c555f0e22aaca03d15c -Author: markus@openbsd.org <markus@openbsd.org> -Date: Mon Jul 9 21:26:02 2018 +0000 - - upstream: sshd: switch loginmsg to sshbuf API; ok djm@ - - OpenBSD-Commit-ID: f3cb4e54bff15c593602d95cc43e32ee1a4bac42 - -commit 89dd615b8b531979be63f05f9d5624367c9b28e6 -Author: markus@openbsd.org <markus@openbsd.org> -Date: Mon Jul 9 21:20:26 2018 +0000 - - upstream: ttymodes: switch to sshbuf API; ok djm@ - - OpenBSD-Commit-ID: 5df340c5965e822c9da21e19579d08dea3cbe429 - -commit f4608a7065480516ab46214f554e5f853fb7870f -Author: markus@openbsd.org <markus@openbsd.org> -Date: Mon Jul 9 21:18:10 2018 +0000 - - upstream: client: switch mux to sshbuf API; with & ok djm@ - - OpenBSD-Commit-ID: 5948fb98d704f9c4e075b92edda64e0290b5feb2 - -commit cecee2d607099a7bba0a84803e2325d15be4277b -Author: markus@openbsd.org <markus@openbsd.org> -Date: Mon Jul 9 21:03:30 2018 +0000 - - upstream: client: switch to sshbuf API; ok djm@ - - OpenBSD-Commit-ID: 60cb0356114acc7625ab85105f6f6a7cd44a8d05 - -commit ff55f4ad898137d4703e7a2bcc81167dfe8e9324 -Author: markus@openbsd.org <markus@openbsd.org> -Date: Mon Jul 9 20:39:28 2018 +0000 - - upstream: pkcs11: switch to sshbuf API; ok djm@ - - OpenBSD-Commit-ID: 98cc4e800f1617c51caf59a6cb3006f14492db79 - -commit 168b46f405d6736960ba7930389eecb9b6710b7e -Author: sf@openbsd.org <sf@openbsd.org> -Date: Mon Jul 9 13:37:10 2018 +0000 - - upstream: Revert previous two commits - - It turns out we still support pre-auth compression on the client. - Therefore revert the previous two commits: - - date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; - Rename COMP_DELAYED to COMP_ZLIB - - Only delayed compression is supported nowadays. - - ok markus@ - - date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; - Remove leftovers from pre-authentication compression - - Support for this has been removed in 2016. - COMP_DELAYED will be renamed in a later commit. - - ok markus@ - - OpenBSD-Commit-ID: cdfef526357e4e1483c86cf599491b2dafb77772 - -commit ab39267fa1243d02b6c330615539fc4b21e17dc4 -Author: sf@openbsd.org <sf@openbsd.org> -Date: Fri Jul 6 09:06:14 2018 +0000 - - upstream: Rename COMP_DELAYED to COMP_ZLIB - - Only delayed compression is supported nowadays. - - ok markus@ - - OpenBSD-Commit-ID: 5b1dbaf3d9a4085aaa10fec0b7a4364396561821 - -commit 95db395d2e56a6f868193aead6cadb2493f036c6 -Author: sf@openbsd.org <sf@openbsd.org> -Date: Fri Jul 6 09:05:01 2018 +0000 - - upstream: Remove leftovers from pre-authentication compression - - Support for this has been removed in 2016. - COMP_DELAYED will be renamed in a later commit. - - ok markus@ - - OpenBSD-Commit-ID: 6a99616c832627157113fcb0cf5a752daf2e6b58 - -commit f28a4d5cd24c4aa177e96b4f96957991e552cb70 -Author: sf@openbsd.org <sf@openbsd.org> -Date: Fri Jul 6 09:03:02 2018 +0000 - - upstream: Remove unused ssh_packet_start_compression() - - ok markus@ - - OpenBSD-Commit-ID: 9d34cf2f59aca5422021ae2857190578187dc2b4 - -commit 872517ddbb72deaff31d4760f28f2b0a1c16358f -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Jul 6 13:32:02 2018 +1000 - - Defer setting bufsiz in getdelim. - - Do not write to bufsiz until we are sure the malloc has succeeded, - in case any callers rely on it (which they shouldn't). ok djm@ - -commit 3deb56f7190a414dc264e21e087a934fa1847283 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Thu Jul 5 13:32:01 2018 +1000 - - Fix other callers of read_environment_file. - - read_environment_file recently gained an extra argument Some platform - specific code also calls it so add the argument to those too. Fixes - build on Solaris and AIX. - -commit 314908f451e6b2d4ccf6212ad246fa4619c721d3 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Jul 4 13:51:45 2018 +0000 - - upstream: deal with API rename: match_filter_list() => - - match_filter_blacklist() - - OpenBSD-Regress-ID: 2da342be913efeb51806351af906fab01ba4367f - -commit 89f54cdf6b9cf1cf5528fd33897f1443913ddfb4 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Jul 4 13:51:12 2018 +0000 - - upstream: exercise new expansion behaviour of - - PubkeyAcceptedKeyTypes and, by proxy, test kex_assemble_names() - - ok markus@ - - OpenBSD-Regress-ID: 292978902e14d5729aa87e492dd166c842f72736 - -commit 187633f24c71564e970681c8906df5a6017dcccf -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jul 3 13:53:26 2018 +0000 - - upstream: add a comment that could have saved me 45 minutes of wild - - goose chasing - - OpenBSD-Regress-ID: d469b29ffadd3402c090e21b792d627d46fa5297 - -commit 312d2f2861a2598ed08587cb6c45c0e98a85408f -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Jul 4 13:49:31 2018 +0000 - - upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA - - signature work - returns ability to add/remove/specify algorithms by - wildcard. - - Algorithm lists are now fully expanded when the server/client configs - are finalised, so errors are reported early and the config dumps - (e.g. "ssh -G ...") now list the actual algorithms selected. - - Clarify that, while wildcards are accepted in algorithm lists, they - aren't full pattern-lists that support negation. - - (lots of) feedback, ok markus@ - - OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207 - -commit 303af5803bd74bf05d375c04e1a83b40c30b2be5 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jul 3 11:43:49 2018 +0000 - - upstream: some magic for RSA-SHA2 checks - - OpenBSD-Regress-ID: e5a9b11368ff6d86e7b25ad10ebe43359b471cd4 - -commit 7d68e262944c1fff1574600fe0e5e92ec8b398f5 -Author: Damien Miller <djm@mindrot.org> -Date: Tue Jul 3 23:27:11 2018 +1000 - - depend - -commit b4d4eda633af433d20232cbf7e855ceac8b83fe5 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jul 3 13:20:25 2018 +0000 - - upstream: some finesse to fix RSA-SHA2 certificate authentication - - for certs hosted in ssh-agent - - OpenBSD-Commit-ID: e5fd5edd726137dda2d020e1cdebc464110a010f - -commit d78b75df4a57e0f92295f24298e5f2930e71c172 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jul 3 13:07:58 2018 +0000 - - upstream: check correct variable; unbreak agent keys - - OpenBSD-Commit-ID: c36981fdf1f3ce04966d3310826a3e1e6233d93e - -commit 2f30300c5e15929d0e34013f38d73e857f445e12 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jul 3 11:42:12 2018 +0000 - - upstream: crank version number to 7.8; needed for new compat flag - - for prior version; part of RSA-SHA2 strictification, ok markus@ - - OpenBSD-Commit-ID: 84a11fc0efd2674c050712336b5093f5d408e32b - -commit 4ba0d54794814ec0de1ec87987d0c3b89379b436 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jul 3 11:39:54 2018 +0000 - - upstream: Improve strictness and control over RSA-SHA2 signature - - In ssh, when an agent fails to return a RSA-SHA2 signature when - requested and falls back to RSA-SHA1 instead, retry the signature to - ensure that the public key algorithm sent in the SSH_MSG_USERAUTH - matches the one in the signature itself. - - In sshd, strictly enforce that the public key algorithm sent in the - SSH_MSG_USERAUTH message matches what appears in the signature. - - Make the sshd_config PubkeyAcceptedKeyTypes and - HostbasedAcceptedKeyTypes options control accepted signature algorithms - (previously they selected supported key types). This allows these - options to ban RSA-SHA1 in favour of RSA-SHA2. - - Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and - "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures - with certificate keys. - - feedback and ok markus@ - - OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde - -commit 95344c257412b51199ead18d54eaed5bafb75617 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jul 3 10:59:35 2018 +0000 - - upstream: allow sshd_config PermitUserEnvironment to accept a - - pattern-list of whitelisted environment variable names in addition to yes|no. - - bz#1800, feedback and ok markus@ - - OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24 - -commit 6f56fe4b9578b0627667f8bce69d4d938a88324c -Author: millert@openbsd.org <millert@openbsd.org> -Date: Tue Jun 26 11:23:59 2018 +0000 - - upstream: Fix "WARNING: line 6 disappeared in /etc/moduli, giving up" - - when choosing a prime. An extra increment of linenum snuck in as part of the - conversion to getline(). OK djm@ markus@ - - OpenBSD-Commit-ID: 0019225cb52ed621b71cd9f19ee2e78e57e3dd38 - -commit 1eee79a11c1b3594f055b01e387c49c9a6e80005 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Jul 2 14:13:30 2018 +0000 - - upstream: One ampersand is enough to backgroud an process. OpenBSD - - doesn't seem to mind, but some platforms in -portable object to the second. - - OpenBSD-Regress-ID: d6c3e404871764343761dc25c3bbe29c2621ff74 - -commit 6301e6c787d4e26bfae1119ab4f747bbcaa94e44 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Mon Jul 2 21:16:58 2018 +1000 - - Add implementation of getline. - - Add getline for the benefit of platforms that don't have it. Sourced - from NetBSD (OpenBSD's implementation is a little too chummy with the - internals of FILE). - -commit 84623e0037628f9992839063151f7a9f5f13099a -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jun 26 02:02:36 2018 +0000 - - upstream: whitespace - - OpenBSD-Commit-ID: 9276951caf4daf555f6d262e95720e7f79244572 - -commit 90e51d672711c19a36573be1785caf35019ae7a8 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Jun 25 22:28:33 2018 +0000 - - upstream: fix NULL dereference in open_listen_match_tcpip() - - OpenBSD-Commit-ID: c968c1d29e392352383c0f9681fcc1e93620c4a9 - -commit f535ff922a67d9fcc5ee69d060d1b21c8bb01d14 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Tue Jun 19 05:36:57 2018 +0000 - - upstream: spelling; - - OpenBSD-Commit-ID: db542918185243bea17202383a581851736553cc - -commit 80e199d6175904152aafc5c297096c3e18297691 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jun 19 03:02:17 2018 +0000 - - upstream: test PermitListen with bare port numbers - - OpenBSD-Regress-ID: 4b50a02dfb0ccaca08247f3877c444126ba901b3 - -commit 87ddd676da0f3abd08b778b12b53b91b670dc93c -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Jun 19 02:59:41 2018 +0000 - - upstream: allow bare port numbers to appear in PermitListen directives, - - e.g. - - PermitListen 2222 8080 - - is equivalent to: - - PermitListen *:2222 *:8080 - - Some bonus manpage improvements, mostly from markus@ - - "looks fine" markus@ - - OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24 - -commit 26f96ca10ad0ec5da9b05b99de1e1ccea15a11be -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jun 15 07:01:11 2018 +0000 - - upstream: invalidate supplemental group cache used by - - temporarily_use_uid() when the target uid differs; could cause failure to - read authorized_keys under some configurations. patch by Jakub Jelen via - bz2873; ok dtucker, markus - - OpenBSD-Commit-ID: 48a345f0ee90f6c465a078eb5e89566b23abd8a1 - -commit 89a85d724765b6b82e0135ee5a1181fdcccea9c6 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Jun 10 23:45:41 2018 +0000 - - upstream: unbreak SendEnv; patch from tb@ - - OpenBSD-Commit-ID: fc808daced813242563b80976e1478de95940056 - -commit acf4260f0951f89c64e1ebbc4c92f451768871ad -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Sat Jun 9 06:36:31 2018 +0000 - - upstream: sort previous; - - OpenBSD-Commit-ID: 27d80d8b8ca99bc33971dee905e8ffd0053ec411 - -commit 1678d4236451060b735cb242d2e26e1ac99f0947 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sat Jun 9 03:18:11 2018 +0000 - - upstream: slightly better wording re handing of $TERM, from Jakub - - Jelen via bz2386 - - OpenBSD-Commit-ID: 14bea3f069a93c8be66a7b97794255a91fece964 - -commit 28013759f09ed3ebf7e8335e83a62936bd7a7f47 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sat Jun 9 03:03:10 2018 +0000 - - upstream: add a SetEnv directive for sshd_config to allow an - - administrator to explicitly specify environment variables set in sessions - started by sshd. These override the default environment and any variables set - by user configuration (PermitUserEnvironment, etc), but not the SSH_* - variables set by sshd itself. - - ok markus@ - - OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0 - -commit 7082bb58a2eb878d23ec674587c742e5e9673c36 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sat Jun 9 03:01:12 2018 +0000 - - upstream: add a SetEnv directive to ssh_config that allows setting - - environment variables for the remote session (subject to the server accepting - them) - - refactor SendEnv to remove the arbitrary limit of variable names. - - ok markus@ - - OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be - -commit 3b9798bda15bd3f598f5ef07595d64e23504da91 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sat Jun 9 02:58:02 2018 +0000 - - upstream: reorder child environment preparation so that variables - - read from ~/.ssh/environment (if enabled) do not override SSH_* variables set - by the server. - - OpenBSD-Commit-ID: 59f9d4c213cdcef2ef21f4b4ae006594dcf2aa7a - -commit 0368889f82f63c82ff8db9f8c944d89e7c657db4 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jun 8 03:35:36 2018 +0000 - - upstream: fix incorrect expansion of %i in - - load_public_identity_files(); reported by Roumen Petrov - - OpenBSD-Commit-ID: a827289e77149b5e0850d72a350c8b0300e7ef25 - -commit 027607fc2db6a0475a3380f8d95c635482714cb0 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jun 8 01:55:40 2018 +0000 - - upstream: fix some over-long lines and __func__ up some debug - - messages - - OpenBSD-Commit-ID: c70a60b4c8207d9f242fc2351941ba50916bb267 - -commit 6ff6fda705bc204456a5fa12518dde6e8790bb02 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Thu Jun 7 11:26:14 2018 +0000 - - upstream: tweak previous; - - OpenBSD-Commit-ID: f98f16af10b28e24bcecb806cb71ea994b648fd6 - -commit f2c06ab8dd90582030991f631a2715216bf45e5a -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Jun 8 17:43:36 2018 +1000 - - Remove ability to override $LD. - - Since autoconf always uses $CC to link C programs, allowing users to - override LD caused mismatches between what LD_LINK_IFELSE thought worked - and what ld thought worked. If you do need to do this kind of thing you - need to set a compiler flag such as gcc's -fuse-ld in LDFLAGS. - -commit e1542a80797b4ea40a91d2896efdcc76a57056d2 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Jun 8 13:55:59 2018 +1000 - - Better detection of unsupported compiler options. - - Should prevent "unsupported -Wl,-z,retpoline" warnings during linking. - ok djm@ - -commit 57379dbd013ad32ee3f9989bf5f5741065428360 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Jun 7 14:29:43 2018 +0000 - - upstream: test the correct configuration option name - - OpenBSD-Regress-ID: 492279ea9f65657f97a970e0e7c7fd0b339fee23 - -commit 6d41815e202fbd6182c79780b6cc90e1ec1c9981 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Jun 7 09:26:42 2018 +0000 - - upstream: some permitlisten fixes from markus@ that I missed in my - - insomnia-fueled commits last night - - OpenBSD-Commit-ID: 26f23622e928996086e85b1419cc1c0f136e359c - -commit 4319f7a868d86d435fa07112fcb6153895d03a7f -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Jun 7 04:46:34 2018 +0000 - - upstream: permitlisten/PermitListen unit test from Markus - - OpenBSD-Regress-ID: ab12eb42f0e14926980441cf7c058a6d1d832ea5 - -commit fa09076410ffc2d34d454145af23c790d728921e -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Jun 7 04:31:51 2018 +0000 - - upstream: fix regression caused by recent permitlisten option commit: - - authorized_keys lines that contained permitopen/permitlisten were being - treated as invalid. - - OpenBSD-Commit-ID: 7ef41d63a5a477b405d142dc925b67d9e7aaa31b - -commit 7f90635216851f6cb4bf3999e98b825f85d604f8 -Author: markus@openbsd.org <markus@openbsd.org> -Date: Wed Jun 6 18:29:18 2018 +0000 - - upstream: switch config file parsing to getline(3) as this avoids - - static limits noted by gerhard@; ok dtucker@, djm@ - - OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c - -commit 392db2bc83215986a91c0b65feb0e40e7619ce7e -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Jun 6 18:25:33 2018 +0000 - - upstream: regress test for PermitOpen - - OpenBSD-Regress-ID: ce8b5f28fc039f09bb297fc4a92319e65982ddaf - -commit 803d896ef30758135e2f438bdd1a0be27989e018 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Jun 6 18:24:15 2018 +0000 - - upstream: man bits for permitlisten authorized_keys option - - OpenBSD-Commit-ID: 86910af8f781a4ac5980fea125442eb25466dd78 - -commit 04df43208b5b460d7360e1598f876b92a32f5922 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Jun 6 18:24:00 2018 +0000 - - upstream: man bits for PermitListen - - OpenBSD-Commit-ID: 35b200cba4e46a16a4db6a80ef11838ab0fad67c - -commit 93c06ab6b77514e0447fe4f1d822afcbb2a9be08 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Jun 6 18:23:32 2018 +0000 - - upstream: permitlisten option for authorized_keys; ok markus@ - - OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672 - -commit 115063a6647007286cc8ca70abfd2a7585f26ccc -Author: djm@openbsd.org <djm@openbsd.org> -Date: Wed Jun 6 18:22:41 2018 +0000 - - upstream: Add a PermitListen directive to control which server-side - - addresses may be listened on when the client requests remote forwarding (ssh - -R). - - This is the converse of the existing PermitOpen directive and this - includes some refactoring to share much of its implementation. - - feedback and ok markus@ - - OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f - -commit 7703ae5f5d42eb302ded51705166ff6e19c92892 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Wed Jun 6 16:04:29 2018 +1000 - - Use ssh-keygen -A to generate missing host keys. - - Instead of testing for each specific key type, use ssh-keygen -A to - generate any missing host key types. - -commit e8d59fef1098e24f408248dc64e5c8efa5d01f3c -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Fri Jun 1 06:23:10 2018 +0000 - - upstream: add missing punctuation after %i in ssh_config.5, and - - make the grammatical format in sshd_config.5 match that in ssh_config.5; - - OpenBSD-Commit-ID: e325663b9342f3d556e223e5306e0d5fa1a74fa0 - -commit a1f737d6a99314e291a87856122cb4dbaf64c641 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Fri Jun 1 05:52:26 2018 +0000 - - upstream: oops - further adjustment to text neccessary; - - OpenBSD-Commit-ID: 23585576c807743112ab956be0fb3c786bdef025 - -commit 294028493471e0bd0c7ffe55dc0c0a67cba6ec41 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Fri Jun 1 05:50:18 2018 +0000 - - upstream: %U needs to be escaped; tweak text; - - OpenBSD-Commit-ID: 30887b73ece257273fb619ab6f4e86dc92ddc15e - -commit e5019da3c5a31e6e729a565f2b886a80c4be96cc -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Jun 1 04:31:48 2018 +0000 - - upstream: Apply umask to all incoming files and directories not - - just files. This makes sure it gets applied to directories too, and prevents - a race where files get chmodded after creation. bz#2839, ok djm@ - - OpenBSD-Commit-ID: 3168ee6c7c39093adac4fd71039600cfa296203b - -commit a1dcafc41c376332493b9385ee39f9754dc145ec -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jun 1 03:52:37 2018 +0000 - - upstream: Adapt to extra default verboisity from ssh-keygen when - - searching for and hashing known_hosts entries in a single operation - (ssh-keygen -HF ...) Patch from Anton Kremenetsky - - OpenBSD-Regress-ID: 519585a4de35c4611285bd6a7272766c229b19dd - -commit 76f314c75dffd4a55839d50ee23622edad52c168 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue May 22 00:22:49 2018 +0000 - - upstream: Add TEST_SSH_FAIL_FATAL variable, to force all failures - - to instantly abort the test. Useful in capturing clean logs for individual - failure cases. - - OpenBSD-Regress-ID: feba18cf338c2328b9601bd4093cabdd9baa3af1 - -commit 065c8c055df8d83ae7c92e5e524a579d87668aab -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri May 11 03:51:06 2018 +0000 - - upstream: Clean up comment. - - OpenBSD-Regress-ID: 6adb35f384d447e7dcb9f170d4f0d546d3973e10 - -commit 01b048c8eba3b021701bd0ab26257fc82903cba8 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jun 1 04:21:29 2018 +0000 - - upstream: whitespace - - OpenBSD-Commit-ID: e5edb5e843ddc9b73a8e46518899be41d5709add - -commit 854ae209f992465a276de0b5f10ef770510c2418 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jun 1 04:05:29 2018 +0000 - - upstream: make ssh_remote_ipaddr() capable of being called after - - the ssh->state has been torn down; bz#2773 - - OpenBSD-Commit-ID: 167f12523613ca3d16d7716a690e7afa307dc7eb - -commit 3e088aaf236ef35beeef3c9be93fd53700df5861 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jun 1 03:51:34 2018 +0000 - - upstream: return correct exit code when searching for and hashing - - known_hosts entries in a single operation (ssh-keygen -HF hostname); bz2772 - Report and fix from Anton Kremenetsky - - OpenBSD-Commit-ID: ac10ca13eb9bb0bc50fcd42ad11c56c317437b58 - -commit 9c935dd9bf05628826ad2495d3e8bdf3d3271c21 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jun 1 03:33:53 2018 +0000 - - upstream: make UID available as a %-expansion everywhere that the - - username is available currently. In the client this is via %i, in the server - %U (since %i was already used in the client in some places for this, but used - for something different in the server); bz#2870, ok dtucker@ - - OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95 - -commit d8748b91d1d6c108c0c260ed41fa55f37b9ef34b -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Jun 1 03:11:49 2018 +0000 - - upstream: prefer argv0 to "ssh" when re-executing ssh for ProxyJump - - directive; bz2831, feedback and ok dtucker@ - - OpenBSD-Commit-ID: 3cec709a131499fbb0c1ea8a0a9e0b0915ce769e |