| Commit message (Collapse) | Author | Files | Lines |
|---|
|
by ssh-agent. Patch from Maxime Rey.
OpenBSD-Regress-ID: 1777ab6e639e57c0e20cbcb6df60455b49fd8bb3
|
|
hostkeys-prove requests.
Fixes a corner-case triggered by UpdateHostKeys with one or more unknown
host keys stored in ssh-agent where sshd refuses to accept the signature
coming back from the agent.
Report/fix from Maxime Rey
OpenBSD-Commit-ID: 460c7d527a24f92b7e5f68ca1a2fa242ebf0d086
|
|
signature algorithm based on the requested hash algorithm ("-Ohashalg=xxx").
This allows using something other than rsa-sha2-512, which may not
be supported on all signing backends, e.g. some smartcards only
support SHA256.
Patch from Morten Linderud; ok markus@
OpenBSD-Commit-ID: 246353fac24e92629263996558c6788348363ad7
|
|
accidentally changed in last commit
OpenBSD-Commit-ID: 6d07e4606997e36b860621a14dd41975f2902f8f
|
|
It doesn't currently work. It's not clear why, but I suspect
sk-dummy.so ends up being built for the wrong architecture.
|
|
Move the the flags used by the OpenWRT distro to mipsel target and
enable OpenSSL on all targets to improve coverage.
Explicitly disable security key and openssl on mips target so that host
end of the bigendian interop tests don't attempt them and fail (since
they're not enabled on the target side).
|
|
|
|
|
|
Where our test target is a bigendian system, do an additional build on
the runner host (which is little endian) and test interop between the two.
Should hopefully catch obvious endianness bugs.
|
|
This will allow tests to specify an alternative sshd, eg on a remote
machine with different endianness.
|
|
FIDO application IDs for security key-backed keys, to prevent web key handles
from being used remotely as this would likely lead to unpleasant surprises.
By default, only application IDs that start with "ssh:*" are allowed.
This adds a -Owebsafe-allow=... argument that can override the default
list with a more or less restrictive one. The default remains unchanged.
ok markus@
OpenBSD-Commit-ID: 957c1ed92a8d7c87453b9341f70cb3f4e6b23e8d
|
|
to getgrouplist(3)
Our kernel supports 16 groups (NGROUPS_MAX), but nothing prevents
an admin from adding a user to more groups. With that tweak we'll keep
on ignoring them instead of potentially reading past the buffer passed to
getgrouplist(3). That behavior is explicitely described in initgroups(3).
ok millert@ gilles@
OpenBSD-Commit-ID: a959fc45ea3431b36f52eda04faefc58bcde00db
|
|
|
|
|
|
|
|
|
|
|
|
|
|
OpenBSD-Commit-ID: 13511fdef7535bdbc35b644c90090013da43a318
|
|
jsg@ feedback/ok deraadt@
OpenBSD-Commit-ID: 26d81a430811672bc762687166986cad40d28cc0
|
|
exchange
OpenBSD-Commit-ID: 5a3259a193fd42108a869ebf650b95b5f2d08dcf
|
|
It got broken by the sshd-auth change, it's not obvious why, and the
platform lacks the debugging tools (eg gdb, strace) to figure it out.
The upstream project seems effectively dead (6 years since the last
commit, 10 since the last release). It was useful while it lasted
(we found a real bug because of it) but its time seems to have passed.
|
|
|
|
Instead of maintaing state (pipe descriptors, signal handlers) across
pselect-on-select invocations, set up and restore them each call.
This prevents outside factors (eg a closefrom or signal handler
installation) from potentially causing problems. This does result in a
drop in throughput of a couple of percent on geriatric platforms without
a native pselect due to the extra overhead. Tweaks & ok djm@
|
|
ok markus@
OpenBSD-Commit-ID: fc673065e6505bb06b2e2b9362f78ccb4200a828
|
|
OpenBSD-Regress-ID: 8654b9aa8eb695b1499fffc408c25319592bf0e0
|
|
let's users zap keys without access to $SSH_AUTH_SOCK
ok deraadt@
OpenBSD-Commit-ID: dae9db0516b1011e5ba8c655ac702fce42e6c023
|
|
first character. ok deraadt@
OpenBSD-Commit-ID: 3f8be6d32496e5596dd8b14e19cb067ddd7969ef
|
|
... and ssh and sshd log wrappers before recreating them. Prevents "can't
create" errors during tests when running tests without SUDO after having
run them with SUDO.
OpenBSD-Regress-ID: 2f0a83532e3dccd673a9bf0291090277268c69a6
|
