summaryrefslogtreecommitdiffstats
path: root/README.tun (unfollow)
Commit message (Collapse)AuthorFilesLines
2023-02-17upstream: Remove now-unused compat bit SSH_BUG_BIGENDIANAES. Thisdtucker@openbsd.org2-12/+4
was previously set for OpenSSH 2.3 (released in 2000) but this check was removed in OpenSSH 7.7 (2018). ok djm@ deraadt@ OpenBSD-Commit-ID: 326426ea328707fc9e83305291ab135c87f678af
2023-02-17whitespace fixesDamien Miller1-45/+45
2023-02-17whitespace at EOLDamien Miller1-7/+7
2023-02-16upstream: Remove SSH_BUG_PASSWORDPAD compat bitdtucker@openbsd.org2-14/+3
since it's no longer used. ok markus@ OpenBSD-Commit-ID: b92c21f56fe4b7f9a54790d6a9650725c226820b
2023-02-16upstream: Remove SSH_BUG_IGNOREMSG compat flagdtucker@openbsd.org2-10/+3
since it's only applicable to SSH1 and thus no longer used. ok markus@ "kill it with fire" djm@ OpenBSD-Commit-ID: ea13318b1937795d9db4790d3ce0a6ed01584dab
2023-02-16upstream: space between macro and punctuation; sort usage();jmc@openbsd.org2-5/+5
OpenBSD-Commit-ID: 6141610cfca037700730e41f868d1d9124958f8c
2023-02-16upstream: space between macro and punctuation;jmc@openbsd.org1-2/+2
OpenBSD-Commit-ID: abc95e550be9e6d9a7ff64b65c104c7be21ab19e
2023-02-16upstream: sort SYNOPSIS;jmc@openbsd.org1-2/+2
OpenBSD-Commit-ID: dacd9da33277d5669a51213d880632599c890c1e
2023-02-11Improve seccomp compat on older systems.Darren Tucker1-2/+16
Check if flags to mmap and madvise are defined before using them. Should fix problems building on older Linux systems that don't have these. bz#3537, with & ok djm@.
2023-02-10upstream: test -Ohashalg=... and that the default output contains bothdjm@openbsd.org1-1/+21
specified hash algorithms; prompted by dtucker@ OpenBSD-Regress-ID: 26f309208c8d8b8fa9c5f419767b85f1e9b22f51
2023-02-10upstream: let ssh-keygen and ssh-keyscan acceptdjm@openbsd.org6-24/+77
-Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493 ok dtucker@ OpenBSD-Commit-ID: e6e07fe21318a873bd877f333e189eb963a11b3d
2023-02-10upstream: add a `sshd -G` option that parses and prints thedjm@openbsd.org2-19/+45
effective configuration without attempting to load private keys and perform other checks. This allows usage of the option before keys have been generated. bz3460 feedback/ok dtucker@ OpenBSD-Commit-ID: 774504f629023fc25a559ab1d95401adb3a7fb29
2023-02-10upstream: make `ssh -Q CASignatureAlgorithms` work as the manpage saysdjm@openbsd.org1-1/+2
it should bz3532 OpenBSD-Commit-ID: 0ddb17b3fcbd99bfb5baea4ac5e449620cbd3adc
2023-02-10Add CentOS 7 test targets.Darren Tucker1-0/+2
2023-02-09upstream: Test adding terminating newline to known_hosts.dtucker@openbsd.org1-1/+19
OpenBSD-Regress-ID: 5fc3010ac450195b3fbdeb68e875564968800365
2023-02-09upstream: ssh-agent doesn't actually take -v,dtucker@openbsd.org1-1/+2
so the recently-added ones will result in the test not cleaning up after itself. Patch from cjwatson at debian.org vi bz#3536. OpenBSD-Regress-ID: 1fc8283568f5bf2f918517c2c1e778072cf61b1a
2023-02-09upstream: Ensure that there is a terminating newline when adding a newdtucker@openbsd.org1-2/+10
entry to known_hosts. bz#3529, with git+openssh at limpsquid.nl, ok deraadt@ markus@ OpenBSD-Commit-ID: fa8d90698da1886570512b96f051e266eac105e0
2023-02-06Replace 9.1 with 9.2 on CI status page.Darren Tucker1-3/+3
2023-02-06harden Linux seccomp sandboxDamien Miller1-5/+74
Linux mmap(2) and madvise(2) syscalls support quite a number of funky flags that we don't expect that sshd/libc will ever need. We can exclude this kernel attack surface by filtering the mmap(2) flags and the madvise(2) advice arguments. Similarly, the sandboxed process in sshd is a single-threaded program that does not use shared memory for synchronisation or communication. Therefore, there should be no reason for the advanced priority inheritance futex(2) operations to be necessary. These can also be excluded. Motivated by Jann Horn pointing out that there have been kernel bugs in nearby Linux kernel code, e.g. CVE-2020-29368, CVE-2020-29374 and CVE-2022-42703. Feedback Jann Horn, ok dtucker@
2023-02-02crank versions in RPM specsV_9_2_P1Damien Miller2-2/+2
2023-02-02update version in READMEDamien Miller1-1/+1
2023-02-02adapt compat_kex_proposal() test to portableDamien Miller2-1/+6
2023-02-02upstream: test compat_kex_proposal(); by dtucker@djm@openbsd.org3-3/+84
OpenBSD-Regress-ID: 0e404ee264db546f9fdbf53390689ab5f8d38bf2
2023-02-02upstream: Check if we can copy sshd or need to use sudo to do sodtucker@openbsd.org1-2/+2
during reexec test. Skip test if neither can work. Patch from anton@, tweaks from me. OpenBSD-Regress-ID: 731b96ae74d02d5744e1f1a8e51d09877ffd9b6d
2023-02-02upstream: openssh-9.2djm@openbsd.org1-2/+2
OpenBSD-Commit-ID: f7389f32413c74d6e2055f05cf65e7082de03923
2023-02-02upstream: fix double-free caused by compat_kex_proposal(); bz3522djm@openbsd.org1-8/+8
by dtucker@, ok me OpenBSD-Commit-ID: 2bfc37cd2d41f67dad64c17a64cf2cd3806a5c80
2023-02-01Skip connection-timeout test on minix3.Darren Tucker1-3/+5
Minix 3's Unix domain sockets don't seem to work the way we expect, so skip connection-timeout test on that platform. While there, group together all similarly skipped tests and explicitly comment.
2023-02-01fix libfido2 detection without pkg-configDamien Miller1-1/+1
Place libfido2 before additional libraries (that it may depend upon) and not after. bz3530 from James Zhang; ok dtucker@
2023-01-31upstream: delete useless dependencyderaadt@openbsd.org1-0/+1
OpenBSD-Commit-ID: e1dc11143f83082e3154d6094f9136d0dc2637ad
2023-01-31upstream: Create and install sshd random relink kit.deraadt@openbsd.org1-0/+1
../Makefile.inc and Makfile are concatenated for reuse, which hopefully won't be too fragile, we'll see if we need a different approach. The resulting sshd binary is tested with the new sshd -V option before installation. As the binary layout is now semi-unknown (meaning relative, fixed, and gadget offsets are not precisely known), change the filesystem permissions to 511 to prevent what I call "logged in BROP". I have ideas for improving this further but this is a first step ok djm OpenBSD-Commit-ID: 1e0a2692b7e20b126dda60bf04999d1d30d959d8
2023-01-31upstream: tweak previous; ok djmjmc@openbsd.org1-4/+4
OpenBSD-Commit-ID: df71ce4180c58202dfdc1d92626cfe900b91b7c3
2023-01-31Skip connection-timeout test under Valgrind.Darren Tucker1-2/+4
Valgrind slows things down so much that the timeout test fails. Skip this test until we figure out if we can make it work.
2023-01-25Skip connection-timeout when missing FD passing.Darren Tucker1-0/+3
This tests uses multiplexing which uses file descriptor passing, so skip it if we don't have that. Fixes test failures on Cygwin.
2023-01-18upstream: when restoring non-blocking mode to stdio fds, restoredjm@openbsd.org2-6/+16
exactly the flags that ssh started with and don't just clobber them with zero, as this could also remove the append flag from the set; bz3523; ok dtucker@ OpenBSD-Commit-ID: 1336b03e881db7564a4b66014eb24c5230e9a0c0
2023-01-18upstream: Add a -V (version) option to sshd like the ssh clientmillert@openbsd.org2-6/+12
has. OK markus@ deraadt@ OpenBSD-Commit-ID: abe990ec3e636fb040132aab8cbbede98f0c413e
2023-01-18upstream: For "ssh -V" always exit 0, there is no need to check optmillert@openbsd.org1-3/+2
again. This was missed when the fallthrough in the switch case above it was removed. OK deraadt@ OpenBSD-Commit-ID: 5583e5d8f6d62a8a4215cfa95a69932f344c8120
2023-01-17upstream: also check that an active session inhibitsdjm@openbsd.org1-4/+11
UnusedConnectionTimeout idea markus@ OpenBSD-Regress-ID: 55c0fb61f3bf9e092b0a53f9041d3d2012f14003
2023-01-17upstream: regression test for UnusedConnectionTimeoutdjm@openbsd.org2-1/+79
OpenBSD-Regress-ID: 7f29001374a68e71e5e078f69e4520cf4bcca084
2023-01-17upstream: unbreak test: cannot access shell positional parametersdjm@openbsd.org1-3/+3
past $9 without wrapping the position in braces (i.e. need ${10}, etc.) OpenBSD-Regress-ID: 3750ec98d5d409ce6a93406fedde6f220d2ea2ac
2023-01-17upstream: Add a sshd_config UnusedConnectionTimeout option to terminatedjm@openbsd.org4-10/+88
client connections that have no open channels for some length of time. This complements the recently-added ChannelTimeout option that terminates inactive channels after a timeout. ok markus@ OpenBSD-Commit-ID: ca983be74c0350364c11f8ba3bd692f6f24f5da9
2023-01-16upstream: adapt to ed25519 changes in src/usr.bin/sshdjm@openbsd.org6-12/+12
OpenBSD-Regress-ID: 4b3e7ba7ee486ae8a0b4790f8112eded2bb7dcd5
2023-01-16upstream: update OpenSSH's Ed25519 code to the last version of SUPERCOPdjm@openbsd.org13-2158/+2091
(20221122) and change the import approach to the same one we use for Streamlined NTRUPrime: use a shell script to extract the bits we need from SUPERCOP, make some minor adjustments and squish them all into a single file. ok tb@ tobhe@ OpenBSD-Commit-ID: 1bc0fd624cb6af440905b8ba74ac7c03311b8e3b
2023-01-14Allow writev is seccomp sandbox.Darren Tucker1-0/+3
This seems to be used by recent glibcs at least in some configurations. From bz#3512, ok djm@
2023-01-14upstream: Shell syntax fix. From ren mingshuai vi github PR#369.dtucker@openbsd.org1-2/+2
OpenBSD-Regress-ID: 6696b2eeefe128099fc3d7ea9f23252cc35156f9
2023-01-14upstream: Instead of skipping the all-tokens test if we don't havedtucker@openbsd.org1-3/+7
OpenSSL (since we use it to compute the hash), put the hash at the end and just omit it if we don't have it. Prompted by bz#3521. OpenBSD-Regress-ID: c79ecba64250ed3b6417294b6c965e6b12ca5eea
2023-01-14upstream: fix double phrase in previous;jmc@openbsd.org1-3/+2
OpenBSD-Commit-ID: 671e6c8dc5e9230518b2bbfa143daaa88adc66c2
2023-01-14upstream: Document "UserKnownHostsFile none". ok djm@dtucker@openbsd.org1-2/+8
OpenBSD-Commit-ID: f695742d39e34ecdcc3c861c3739a84648a4bce5
2023-01-13Retry package installation 3 times.Darren Tucker1-3/+16
When setting up the CI environment, retry package installation 3 times before going up. Should help prevent spurious failures during infrastructure issues.
2023-01-13upstream: Move scp path setting to a helper function. The previousdtucker@openbsd.org5-13/+25
commit to add scp to the test sshd's path causes the t-envpass test to fail when the test scp is given using a fully qualified path. Put this in a helper function and only call it from the scp tests. OpenBSD-Regress-ID: 7533dc1c4265c1de716abb062957994195b36df4
2023-01-13upstream: Add scp's path to test sshd's PATH.dtucker@openbsd.org1-1/+8
If the scp we're testing is fully qualified (eg it's not in the system PATH) then add its path to the under-test sshd's PATH so we can find it. Prompted by bz#3518. OpenBSD-Regress-ID: 7df4f5a0be3aa135495b7e5a6719d3cbc26cc4c0