summaryrefslogtreecommitdiffstats
path: root/auth-passwd.c (unfollow)
Commit message (Collapse)AuthorFilesLines
2023-08-28upstream: Log errors in kex_exchange_identification() with leveltobhe@openbsd.org1-5/+5
verbose instead of error to reduce preauth log spam. All of those get logged with a more generic error message by sshpkt_fatal(). feedback from sthen@ ok djm@ OpenBSD-Commit-ID: bd47dab4695b134a44c379f0e9a39eed33047809
2023-08-28upstream: correct math for ClientAliveInterval that caused thedjm@openbsd.org1-2/+2
probes to be sent less frequently than configured; from Dawid Majchrzak OpenBSD-Commit-ID: 641153e7c05117436ddfc58267aa267ca8b80038
2023-08-25Include Portable version in sshd version string.Darren Tucker1-1/+1
bz#3608, ok djm@
2023-08-21obsd-arm64 host is real hardware...Darren Tucker1-1/+1
so put in the correct config location.
2023-08-21Add OpenBSD ARM64 test host.Darren Tucker1-0/+1
2023-08-21Add test for zlib development branch.Darren Tucker3-0/+13
2023-08-21upstream: want stdlib.h for free(3)djm@openbsd.org1-1/+2
OpenBSD-Commit-ID: 743af3c6e3ce5e6cecd051668f0327a01f44af29
2023-08-18Fix zlib version check for 1.3 and future version.Darren Tucker1-1/+1
bz#3604.
2023-08-18Add 9.4 branch to CI status page.Darren Tucker1-0/+4
2023-08-18upstream: fix regression in OpenSSH 9.4 (mux.c r1.99) that causeddjm@openbsd.org4-18/+39
multiplexed sessions to ignore SIGINT under some circumstances. Reported by / feedback naddy@, ok dtucker@ OpenBSD-Commit-ID: 4d5c6c894664f50149153fd4764f21f43e7d7e5a
2023-08-18upstream: defence-in-depth MaxAuthTries check in monitor; ok markusdjm@openbsd.org1-1/+6
OpenBSD-Commit-ID: 65a4225dc708e2dae71315adf93677edace46c21
2023-08-15upstream: add message number of SSH2_MSG_NEWCOMPRESS defined in RFC8308djm@openbsd.org1-1/+2
OpenBSD-Commit-ID: 6c984171c96ed67effd7b5092f3d3975d55d6028
2023-08-13Add obsd72 and obsd73 test targets.Darren Tucker1-0/+2
2023-08-11upstream: better debug logging of sessions' exit statusdjm@openbsd.org1-4/+11
OpenBSD-Commit-ID: 82237567fcd4098797cbdd17efa6ade08e1a36b0
2023-08-11upstream: drop a wayward comma, ok jmc@naddy@openbsd.org1-3/+3
OpenBSD-Commit-ID: 5c11fbb9592a29b37bbf36f66df50db9d38182c6
2023-08-10dependDamien Miller1-19/+0
2023-08-10update versions in RPM specsDamien Miller2-2/+2
2023-08-10update version in READMEDamien Miller1-1/+1
2023-08-10upstream: openssh-9.4djm@openbsd.org1-2/+2
OpenBSD-Commit-ID: 71fc1e01a4c4ea061b252bd399cda7be757e6e35
2023-08-10Only include unistd.h once.Darren Tucker1-1/+0
2023-08-10wrap poll.h include in HAVE_POLL_HDamien Miller1-1/+3
2023-08-04upstream: Apply ConnectTimeout to multiplexing local socketdtucker@openbsd.org2-17/+27
connections. If the multiplex socket exists but the connection times out, ssh will fall back to a direct connection the same way it would if the socket did not exist at all. ok djm@ OpenBSD-Commit-ID: 2fbe1a36d4a24b98531b2d298a6557c8285dc1b4
2023-08-03Fix RNG seeding for OpenSSL w/out self seeding.Darren Tucker1-1/+5
When sshd is built with an OpenSSL that does not self-seed, it would fail in the preauth privsep process while handling a new connection. Sanity checked by djm@
2023-08-03upstream: CheckHostIP has defaulted to 'no' for a while; make thedjm@openbsd.org1-2/+2
commented- out config option match. From Ed Maste OpenBSD-Commit-ID: e66e934c45a9077cb1d51fc4f8d3df4505db58d9
2023-08-01upstream: remove unnecessary if statement.dtucker@openbsd.org1-7/+5
github PR#422 from eyalasulin999, ok djm@ OpenBSD-Commit-ID: 2b6b0dde4407e039f58f86c8d2ff584a8205ea55
2023-08-01upstream: %C is a callable macro in mdoc(7)jmc@openbsd.org1-3/+3
so, as we do for %D, escape it; OpenBSD-Commit-ID: 538cfcddbbb59dc3a8739604319491dcb8e0c0c9
2023-07-30upstream: don't need to start a command here; use ssh -N instead.djm@openbsd.org1-3/+3
Fixes failure on cygwin spotted by Darren OpenBSD-Regress-ID: ff678a8cc69160a3b862733d935ec4a383f93cfb
2023-07-30upstream: add LTESTS_FROM variable to allow skipping of tests up todjm@openbsd.org1-1/+9
a specific point. e.g. "make LTESTS_FROM=t-sftp" will only run the sftp.sh test and subsequent ones. ok dtucker@ OpenBSD-Regress-ID: 07f653de731def074b29293db946042706fcead3
2023-07-30upstream: test ChrootDirectory in Match blockdjm@openbsd.org1-2/+21
OpenBSD-Regress-ID: a6150262f39065939f025e546af2a346ffe674c1
2023-07-30upstream: better error messagesdjm@openbsd.org1-4/+4
OpenBSD-Regress-ID: 55e4186604e80259496d841e690ea2090981bc7a
2023-07-28upstream: don't incorrectly truncate logged strings retrieved fromdjm@openbsd.org1-20/+19
PKCS#11 modules; based on GHPR406 by Jakub Jelen; ok markus OpenBSD-Commit-ID: 7ed1082f23a13b38c373008f856fd301d50012f9
2023-07-28upstream: make sshd_config AuthorizedPrincipalsCommand anddjm@openbsd.org2-16/+31
AuthorizedKeysCommand accept the %D (routing domain) and a new %C (connection address/port 4-tuple) as expansion sequences; ok markus OpenBSD-Commit-ID: ee9a48bf1a74c4ace71b69de69cfdaa2a7388565
2023-07-28upstream: increase default KDF work-factor for OpenSSH formatdjm@openbsd.org1-2/+2
private keys from 16 to 24; { feedback ok } x { deraadt markus } OpenBSD-Commit-ID: a3afb1383f8ff0a49613d449f02395d9e8d4a9ec
2023-07-27Prefer OpenSSL's SHA256 in sk-dummy.soDarren Tucker1-30/+9
Previously sk-dummy.so used libc's (or compat's) SHA256 since it may be built without OpenSSL. In many cases, however, including both libc's and OpenSSL's headers together caused conflicting definitions. We tried working around this (on OpenSSL <1.1 you could define OPENSSL_NO_SHA, NetBSD had USE_LIBC_SHA2, various #define hacks) with varying levels of success. Since OpenSSL >=1.1 removed OPENSSL_NO_SHA and including most OpenSSL headers would bring sha.h in, even if it wasn't used directly this was a constant hassle. Admit defeat and use OpenSSL's SHA256 unless we aren't using OpenSSL at all. ok djm@
2023-07-27Retire dfly58 test VM. Add dfly64.Darren Tucker1-1/+1
2023-07-27upstream: make ssh -f (fork after authentication) work properly indjm@openbsd.org2-11/+22
multiplexed cases (inc. ControlPersist). bz3589 bz3589 Based on patches by Peter Chubb; ok dtucker@ OpenBSD-Commit-ID: a7a2976a54b93e6767dc846b85647e6ec26969ac
2023-07-27upstream: man page typos; ok jmc@naddy@openbsd.org3-10/+10
OpenBSD-Commit-ID: e6ddfef94b0eb867ad88abe07cedc8ed581c07f0
2023-07-27upstream: tweak the allow-remote-pkcs11 text;jmc@openbsd.org1-5/+5
OpenBSD-Commit-ID: bc965460a89edf76865b7279b45cf9cbdebd558a
2023-07-25Handle a couple more OpenSSL no-ecc cases.Darren Tucker1-2/+4
ok djm@
2023-07-20dependDamien Miller1-0/+19
2023-07-20Bring back OPENSSL_HAS_ECC to ssh-pkcs11-clientDamien Miller1-2/+17
2023-07-19upstream: Separate ssh-pkcs11-helpers for each p11 moduledjm@openbsd.org1-93/+285
Make ssh-pkcs11-client start an independent helper for each provider, providing better isolation between modules and reliability if a single module misbehaves. This also implements reference counting of PKCS#11-hosted keys, allowing ssh-pkcs11-helper subprocesses to be automatically reaped when no remaining keys reference them. This fixes some bugs we have that make PKCS11 keys unusable after they have been deleted, e.g. https://bugzilla.mindrot.org/show_bug.cgi?id=3125 ok markus@ OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e
2023-07-19upstream: Ensure FIDO/PKCS11 libraries contain expected symbolsdjm@openbsd.org4-6/+89
This checks via nlist(3) that candidate provider libraries contain one of the symbols that we will require prior to dlopen(), which can cause a number of side effects, including execution of constructors. Feedback deraadt; ok markus OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
2023-07-19upstream: Disallow remote addition of FIDO/PKCS11 providerdjm@openbsd.org2-6/+43
libraries to ssh-agent by default. The old behaviour of allowing remote clients from loading providers can be restored using `ssh-agent -O allow-remote-pkcs11`. Detection of local/remote clients requires a ssh(1) that supports the `session-bind@openssh.com` extension. Forwarding access to a ssh-agent socket using non-OpenSSH tools may circumvent this control. ok markus@ OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c
2023-07-19upstream: terminate process if requested to load a PKCS#11 providerdjm@openbsd.org1-5/+3
that isn't a PKCS#11 provider; from / ok markus@ OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c
2023-07-19agent_fuzz doesn't want stdint.h conditionalisedDamien Miller1-3/+1
2023-07-18conditionalise stdint.h inclusion on HAVE_STDINT_HDamien Miller5-5/+15
fixes build on AIX5 at least
2023-07-18conditionalise match localnetwork on ifaddrs.hDamien Miller1-0/+5
Fixes build breakage on platforms that lack getifaddrs()
2023-07-17upstream: missing match localnetwork negation checkdjm@openbsd.org1-1/+3
OpenBSD-Commit-ID: 9a08ed8dae27d3f38cf280f1b28d4e0ff41a737a
2023-07-17upstream: - add -P to usage() - sync the arg name to -J in usage()jmc@openbsd.org1-8/+8
with that in ssh.1 - reformat usage() to match what "man ssh" does on 80width OpenBSD-Commit-ID: 5235dd7aa42e5bf90ae54579d519f92fc107036e
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-30 00:49:28 +0100