summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* upstream: Make it possible to load certs from PKCS#11 tokensdjm@openbsd.org2023-12-188-70/+299
| | | | | | | | | Adds a protocol extension to allow grafting certificates supplied by ssh-add to keys loaded from PKCS#11 tokens in the agent. feedback/ok markus@ OpenBSD-Commit-ID: bb5433cd28ede2bc910996eb3c0b53e20f86037f
* upstream: apply destination constraints to all p11 keysdjm@openbsd.org2023-12-181-5/+100
| | | | | | | | Previously applied only to the first key returned from each token. ok markus@ OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d
* upstream: add "ext-info-in-auth@openssh.com" extensiondjm@openbsd.org2023-12-187-67/+260
| | | | | | | | | | | | | | | This adds another transport protocol extension to allow a sshd to send SSH2_MSG_EXT_INFO during user authentication, after the server has learned the username that is being logged in to. This lets sshd to update the acceptable signature algoritms for public key authentication, and allows these to be varied via sshd_config(5) "Match" directives, which are evaluated after the server learns the username being authenticated. Full details in the PROTOCOL file OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779
* upstream: implement "strict key exchange" in ssh and sshddjm@openbsd.org2023-12-186-85/+148
| | | | | | | | | | | | This adds a protocol extension to improve the integrity of the SSH transport protocol, particular in and around the initial key exchange (KEX) phase. Full details of the extension are in the PROTOCOL file. with markus@ OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
* better detection of broken -fzero-call-used-regsDamien Miller2023-12-182-3/+15
| | | | | | | Use OSSH_CHECK_CFLAG_LINK() for detection of these flags and extend test program to exercise varargs, which seems to catch more stuff. ok dtucker@
* upstream: when invoking KnownHostsCommand to determine the order ofdjm@openbsd.org2023-12-131-2/+2
| | | | | | | | | | | | host key algorithms to request, ensure that the hostname passed to the command is decorated with the port number for ports other than 22. This matches the behaviour of KnownHostsCommand when invoked to look up the actual host key. bz3643, ok dtucker@ OpenBSD-Commit-ID: 5cfabc0b7c6c7ab473666df314f377b1f15420b1
* upstream: prevent leak in sshsig_match_principals; ok djm@markus@openbsd.org2023-12-131-4/+3
| | | | OpenBSD-Commit-ID: 594f61ad4819ff5c72dfe99ba666a17f0e1030ae
* upstream: short circuit debug log processing early if we're not goingdjm@openbsd.org2023-12-061-1/+5
| | | | | | to log anything. From Kobe Housen OpenBSD-Commit-ID: 2bcddd695872a1bef137cfff7823044dcded90ea
* Add tests for OpenSSL 3.2.0 and 3.2 stable branch.Darren Tucker2023-11-261-0/+2
|
* Use non-zero arg in compiler test program.Darren Tucker2023-11-241-1/+1
| | | | | Now that we're running the test program, passing zero to the test function can cause divide-by-zero exceptions which might show up in logs.
* upstream: Plug mem leak of msg when processing a quit message.dtucker@openbsd.org2023-11-241-1/+2
| | | | | | Coverity CID#427852, ok djm@ OpenBSD-Commit-ID: bf85362addbe2134c3d8c4b80f16601fbff823b7
* upstream: Include existing mux path in debug message.dtucker@openbsd.org2023-11-241-2/+2
| | | | OpenBSD-Commit-ID: 1c3641be10c2f4fbad2a1b088a441d072e18bf16
* Add an Ubuntu 22.04 test VM.Darren Tucker2023-11-231-0/+1
| | | | | This is the same version as Github's runners so most of the testing on it is over there, but having a local VM makes debugging much easier.
* Add gcc-12 -Werror test on Ubuntu 22.04.Darren Tucker2023-11-232-3/+14
| | | | Explictly specify gcc-11 on Ubuntu 22.04 (it's the system compiler).
* Check return value from write to prevent warning.Darren Tucker2023-11-231-1/+1
| | | | | ... and since we're testing for flags with -Werror, this caused configure to mis-detect compiler flags.
* Run compiler test program when compiling natively.Darren Tucker2023-11-231-6/+27
| | | | ok djm@
* Factor out compiler test program into a macro.Darren Tucker2023-11-231-49/+24
| | | | ok djm@
* Add fbsd14 VM to test pool.Darren Tucker2023-11-211-0/+2
|
* Expand -fzero-call-used-regs test to cover gcc 11.Darren Tucker2023-11-211-1/+7
| | | | | | | | It turns out that gcc also has some problems with -fzero-call-used-regs, at least v11 on mips. Previously the test in OSSH_CHECK_CFLAG_COMPILE was sufficient to catch it with "=all", but not sufficient for "=used". Expand the testcase and include it in the other tests for good measure. See bz#3629. ok djm@.
* Stop using -fzero-call-used-regs=allDarren Tucker2023-11-211-2/+5
| | | | | | | ... since it seems to be problematic with several different versions of clang. Only use -fzero-call-used-regs=used which is less problematic, except with Apple's clang where we don't use it at all. bz#3629, ok djm@
* Allow for vendor prefix on clang version numbers.Darren Tucker2023-11-211-3/+4
| | | | | Correctly detects the version of OpenBSD's native clang, as well as Apple's. Spotted tb@, ok djm@.
* upstream: set errno=EAFNOSUPPORT when filtering addresses that don'tdjm@openbsd.org2023-11-201-2/+2
| | | | | | | match AddressFamily; yields slightly better error message if no address matches. bz#3526 OpenBSD-Commit-ID: 29cea900ddd8b04a4d1968da5c4a893be2ebd9e6
* upstream: when connecting via socket (the default case), filterdjm@openbsd.org2023-11-161-1/+9
| | | | | | | | addresses by AddressFamily if one was specified. Fixes the case where, if CanonicalizeHostname is enabled, ssh may ignore AddressFamily. bz5326; ok dtucker OpenBSD-Commit-ID: 6c7d7751f6cd055126b2b268a7b64dcafa447439
* upstream: when deciding whether to enable keystroke timingdjm@openbsd.org2023-11-153-4/+22
| | | | | | | | | obfuscation, only consider enabling it when a channel with a tty is open. Avoids turning on the obfucation when X11 forwarding only is in use, which slows it right down. Reported by Roger Marsh OpenBSD-Commit-ID: c292f738db410f729190f92de100c39ec931a4f1
* upstream: Make sure sftp_get_limits() only returns 0 if 'limits'tobhe@openbsd.org2023-11-151-2/+2
| | | | | | | | | | was initialized. This fixes a potential uninitialized use of 'limits' in sftp_init() if sftp_get_limits() returned early because of an unexpected message type. ok djm@ OpenBSD-Commit-ID: 1c177d7c3becc1d71bc8763eecf61873a1d3884c
* Test current releases of LibreSSL and OpenSSL.Darren Tucker2023-11-131-4/+4
| | | | Retire some of the older releases.
* upstream: Specify ssh binary to usedtucker@openbsd.org2023-11-011-5/+5
| | | | | | | ... instead of relying on installed one. Fixes test failures in -portable when running tests prior to installation. OpenBSD-Regress-ID: b6d6ba71c23209c616efc805a60d9a445d53a685
* Put long-running test targets on hipri runners.Darren Tucker2023-11-011-7/+8
| | | | | | Some of the selfhosted test targets take a long time to run for various reasons, so label them for "libvirt-hipri" runners so that they can start immediately. This should reduce the time to complete all tests.
* upstream: add some tests of forced commands overriding Subsystemdjm@openbsd.org2023-11-011-12/+44
| | | | | | directives OpenBSD-Regress-ID: eb48610282f6371672bdf2a8b5d2aa33cfbd322b
* upstream: Don't try to use sudo inside sshd log wrapper.dtucker@openbsd.org2023-10-311-2/+2
| | | | | | | | | | | We still need to check if we're using sudo since we don't want to chown unecessarily, as on some platforms this causes an error which pollutes stderr. We also don't want to unnecessarily invoke sudo, since it's running in the context of the proxycommand, on *other* platforms it may not be able to authenticate, and if we're using SUDO then it should already be privileged. OpenBSD-Regress-ID: 70d58df7503db699de579a9479300e5f3735f4ee
* upstream: Only try to chmod logfile if we have sudo. If we don't havedtucker@openbsd.org2023-10-311-2/+2
| | | | | | sudo then we won't need to chmod. OpenBSD-Regress-ID: dbad2f5ece839658ef8af3376cb1fb1cabe2e324
* upstream: move PKCS#11 setup code to test-exec.sh so it can be reuseddjm@openbsd.org2023-10-312-90/+93
| | | | | | elsewhere OpenBSD-Regress-ID: 1d29e6be40f994419795d9e660a8d07f538f0acb
* upstream: tidy and refactor PKCS#11 setup codedjm@openbsd.org2023-10-301-61/+72
| | | | | | | | | | | | Replace the use of a perl script to delete the controlling TTY with a SSH_ASKPASS script to directly load the PIN. Move PKCS#11 setup code to functions in anticipation of it being used elsewhere in additional tests. Reduce stdout spam OpenBSD-Regress-ID: 07705c31de30bab9601a95daf1ee6bef821dd262
* Add obsd74 test VM and retire obsd69 and obsd70.Darren Tucker2023-10-301-2/+1
|
* Add OpenSSL 3.3.0 as a known dev version.Darren Tucker2023-10-301-1/+1
|
* Restore nopasswd sudo rule on Mac OS X.Darren Tucker2023-10-301-7/+19
| | | | | This seems to be missing from some (but not all) github runners, so restore it if it seems to be missing.
* Don't exit early when setting up on Mac OS X.Darren Tucker2023-10-301-5/+12
| | | | | We probably need some of the other bits in there (specifically, setting the perms on the home directory) so make it less of a special snowflake.
* upstream: Only try to chown logfiles that exist to prevent spuriousdtucker@openbsd.org2023-10-291-5/+7
| | | | | | errors. OpenBSD-Regress-ID: f1b20a476734e885078c481f1324c9ea03af991e
* upstream: make use of bsd.regress.mk in extra and interop targets; okanton@openbsd.org2023-10-291-1/+1
| | | | | | dtucker@ OpenBSD-Regress-ID: 7ea21b5f6fc4506165093b2123d88d20ff13a4f0
* upstream: Skip conch interop tests when not enabled instead of fatal.dtucker@openbsd.org2023-10-261-2/+2
| | | | OpenBSD-Regress-ID: b0abf81c24ac6c21f367233663228ba16fa96a46
* upstream: Import regenerated moduli.dtucker@openbsd.org2023-10-261-444/+454
| | | | OpenBSD-Commit-ID: 95f5dd6107e8902b87dc5b005ef2b53f1ff378b8
* upstream: ssh conch interop tests requires a controlling terminal;anton@openbsd.org2023-10-261-3/+6
| | | | | | ok dtucker@ OpenBSD-Regress-ID: cbf2701bc347c2f19d907f113779c666f1ecae4a
* upstream: Use private key that is allowed by sshd defaults in conchanton@openbsd.org2023-10-261-2/+2
| | | | | | | | interop tests. ok dtucker@ OpenBSD-Regress-ID: 3b7f65c8f409c328bcd4b704f60cb3d31746f045
* Install Dropbear for interop testing.Darren Tucker2023-10-201-2/+2
|
* Resync PuTTY and Conch path handling with upstream.Darren Tucker2023-10-201-22/+10
| | | | | Now that configure finds these for us we can remove these -portable specific changes.
* Have configure find PuTTY and Conch binaries.Darren Tucker2023-10-202-3/+6
| | | | | This will let us remove some -portable specific changes from test-exec.sh.
* upstream: Allow overriding the locations of the Dropbear binariesdtucker@openbsd.org2023-10-203-1/+23
| | | | | | similar to what we do for the PuTTY ones. OpenBSD-Regress-ID: 7de0e00518fb0c8fdc5f243b7f82f523c936049c
* upstream: Add interop test with Dropbear.dtucker@openbsd.org2023-10-204-2/+102
| | | | | | | Right now this is only dbclient not the Dropbear server since it won't currently run as a ProxyCommand. OpenBSD-Regress-ID: 8cb898c414fcdb252ca6328896b0687acdaee496
* Update openssl-devel dependency in RPM spec.Fabio Pedretti2023-10-161-9/+14
| | | | | | | | Since openssh 9.4p1, openssl >= 1.1.1 is required, so build with --without-openssl elsewhere. According to https://repology.org/project/openssl/versions openssl 1.1.1 is available on fedora >= 29 and rhel >= 8. Successfully build tested, installed and run on rhel 6
* Remove reference of dropped sshd.pam.old fileFabio Pedretti2023-10-161-5/+4
| | | | The file was removed in openssh 8.8
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-04 02:47:17 +0100