| Commit message (Collapse) | Author | Files | Lines |
|
was previously set for OpenSSH 2.3 (released in 2000) but this check was
removed in OpenSSH 7.7 (2018). ok djm@ deraadt@
OpenBSD-Commit-ID: 326426ea328707fc9e83305291ab135c87f678af
|
|
|
|
|
|
since it's no longer used. ok markus@
OpenBSD-Commit-ID: b92c21f56fe4b7f9a54790d6a9650725c226820b
|
|
since it's only applicable to SSH1 and thus no longer used. ok markus@
"kill it with fire" djm@
OpenBSD-Commit-ID: ea13318b1937795d9db4790d3ce0a6ed01584dab
|
|
OpenBSD-Commit-ID: 6141610cfca037700730e41f868d1d9124958f8c
|
|
OpenBSD-Commit-ID: abc95e550be9e6d9a7ff64b65c104c7be21ab19e
|
|
OpenBSD-Commit-ID: dacd9da33277d5669a51213d880632599c890c1e
|
|
Check if flags to mmap and madvise are defined before using them.
Should fix problems building on older Linux systems that don't have
these. bz#3537, with & ok djm@.
|
|
specified hash algorithms; prompted by dtucker@
OpenBSD-Regress-ID: 26f309208c8d8b8fa9c5f419767b85f1e9b22f51
|
|
-Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm
selection. bz3493 ok dtucker@
OpenBSD-Commit-ID: e6e07fe21318a873bd877f333e189eb963a11b3d
|
|
effective configuration without attempting to load private keys and perform
other checks. This allows usage of the option before keys have been
generated.
bz3460 feedback/ok dtucker@
OpenBSD-Commit-ID: 774504f629023fc25a559ab1d95401adb3a7fb29
|
|
it should bz3532
OpenBSD-Commit-ID: 0ddb17b3fcbd99bfb5baea4ac5e449620cbd3adc
|
|
|
|
OpenBSD-Regress-ID: 5fc3010ac450195b3fbdeb68e875564968800365
|
|
so the recently-added ones will result in the test not cleaning up
after itself. Patch from cjwatson at debian.org vi bz#3536.
OpenBSD-Regress-ID: 1fc8283568f5bf2f918517c2c1e778072cf61b1a
|
|
entry to known_hosts. bz#3529, with git+openssh at limpsquid.nl, ok deraadt@
markus@
OpenBSD-Commit-ID: fa8d90698da1886570512b96f051e266eac105e0
|
|
|
|
Linux mmap(2) and madvise(2) syscalls support quite a number of funky
flags that we don't expect that sshd/libc will ever need. We can
exclude this kernel attack surface by filtering the mmap(2) flags
and the madvise(2) advice arguments.
Similarly, the sandboxed process in sshd is a single-threaded program
that does not use shared memory for synchronisation or communication.
Therefore, there should be no reason for the advanced priority
inheritance futex(2) operations to be necessary. These can also be
excluded.
Motivated by Jann Horn pointing out that there have been kernel bugs
in nearby Linux kernel code, e.g. CVE-2020-29368, CVE-2020-29374 and
CVE-2022-42703.
Feedback Jann Horn, ok dtucker@
|
|
|
|
|
|
|
|
OpenBSD-Regress-ID: 0e404ee264db546f9fdbf53390689ab5f8d38bf2
|
|
during reexec test. Skip test if neither can work. Patch from anton@, tweaks
from me.
OpenBSD-Regress-ID: 731b96ae74d02d5744e1f1a8e51d09877ffd9b6d
|
|
OpenBSD-Commit-ID: f7389f32413c74d6e2055f05cf65e7082de03923
|
|
by dtucker@, ok me
OpenBSD-Commit-ID: 2bfc37cd2d41f67dad64c17a64cf2cd3806a5c80
|
|
Minix 3's Unix domain sockets don't seem to work the way we expect, so
skip connection-timeout test on that platform. While there, group
together all similarly skipped tests and explicitly comment.
|
|
Place libfido2 before additional libraries (that it may depend upon)
and not after. bz3530 from James Zhang; ok dtucker@
|
|
OpenBSD-Commit-ID: e1dc11143f83082e3154d6094f9136d0dc2637ad
|
|
../Makefile.inc and Makfile are concatenated for reuse, which hopefully won't
be too fragile, we'll see if we need a different approach. The resulting sshd
binary is tested with the new sshd -V option before installation. As the
binary layout is now semi-unknown (meaning relative, fixed, and gadget
offsets are not precisely known), change the filesystem permissions to 511 to
prevent what I call "logged in BROP". I have ideas for improving this further
but this is a first step ok djm
OpenBSD-Commit-ID: 1e0a2692b7e20b126dda60bf04999d1d30d959d8
|
|
OpenBSD-Commit-ID: df71ce4180c58202dfdc1d92626cfe900b91b7c3
|
|
Valgrind slows things down so much that the timeout test fails. Skip
this test until we figure out if we can make it work.
|
|
This tests uses multiplexing which uses file descriptor passing, so
skip it if we don't have that. Fixes test failures on Cygwin.
|
|
exactly the flags that ssh started with and don't just clobber them with
zero, as this could also remove the append flag from the set;
bz3523; ok dtucker@
OpenBSD-Commit-ID: 1336b03e881db7564a4b66014eb24c5230e9a0c0
|
|
has. OK markus@ deraadt@
OpenBSD-Commit-ID: abe990ec3e636fb040132aab8cbbede98f0c413e
|
|
again. This was missed when the fallthrough in the switch case above it was
removed. OK deraadt@
OpenBSD-Commit-ID: 5583e5d8f6d62a8a4215cfa95a69932f344c8120
|
|
UnusedConnectionTimeout idea markus@
OpenBSD-Regress-ID: 55c0fb61f3bf9e092b0a53f9041d3d2012f14003
|
|
OpenBSD-Regress-ID: 7f29001374a68e71e5e078f69e4520cf4bcca084
|
|
past $9 without wrapping the position in braces (i.e. need ${10}, etc.)
OpenBSD-Regress-ID: 3750ec98d5d409ce6a93406fedde6f220d2ea2ac
|
|
client connections that have no open channels for some length of time. This
complements the recently-added ChannelTimeout option that terminates inactive
channels after a timeout.
ok markus@
OpenBSD-Commit-ID: ca983be74c0350364c11f8ba3bd692f6f24f5da9
|
|
OpenBSD-Regress-ID: 4b3e7ba7ee486ae8a0b4790f8112eded2bb7dcd5
|
|
(20221122) and change the import approach to the same one we use for
Streamlined NTRUPrime: use a shell script to extract the bits we need from
SUPERCOP, make some minor adjustments and squish them all into a single file.
ok tb@ tobhe@
OpenBSD-Commit-ID: 1bc0fd624cb6af440905b8ba74ac7c03311b8e3b
|
|
This seems to be used by recent glibcs at least in some configurations.
From bz#3512, ok djm@
|
|
OpenBSD-Regress-ID: 6696b2eeefe128099fc3d7ea9f23252cc35156f9
|
|
OpenSSL (since we use it to compute the hash), put the hash at the end and
just omit it if we don't have it. Prompted by bz#3521.
OpenBSD-Regress-ID: c79ecba64250ed3b6417294b6c965e6b12ca5eea
|
|
OpenBSD-Commit-ID: 671e6c8dc5e9230518b2bbfa143daaa88adc66c2
|
|
OpenBSD-Commit-ID: f695742d39e34ecdcc3c861c3739a84648a4bce5
|
|
When setting up the CI environment, retry package installation 3 times
before going up. Should help prevent spurious failures during
infrastructure issues.
|
|
commit to add scp to the test sshd's path causes the t-envpass test to fail
when the test scp is given using a fully qualified path. Put this in a
helper function and only call it from the scp tests.
OpenBSD-Regress-ID: 7533dc1c4265c1de716abb062957994195b36df4
|
|
If the scp we're testing is fully qualified (eg it's not in the system
PATH) then add its path to the under-test sshd's PATH so we can find
it. Prompted by bz#3518.
OpenBSD-Regress-ID: 7df4f5a0be3aa135495b7e5a6719d3cbc26cc4c0
|