summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* upstream: extend sftp-common.c:extend ls_file() to support supplieddjm@openbsd.org2022-09-194-14/+20
| | | | | | user/group names; ok markus@ OpenBSD-Commit-ID: c70c70498b1fdcf158531117e405b6245863bfb0
* upstream: sftp-server(8): add a "users-groups-by-id@openssh.com"djm@openbsd.org2022-09-192-2/+103
| | | | | | | | | | | | extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. Will be used to make directory listings more useful and consistent in sftp(1). ok markus@ OpenBSD-Commit-ID: 7ebabde0bcb95ef949c4840fe89e697e30df47d3
* upstream: better debugging for connect_next()djm@openbsd.org2022-09-191-7/+8
| | | | OpenBSD-Commit-ID: d16a307a0711499c971807f324484ed3a6036640
* upstream: Add RequiredRSASize for sshd(8); RSA keys that falldjm@openbsd.org2022-09-176-7/+46
| | | | | | | | beneath this limit will be ignored for user and host-based authentication. Feedback deraadt@ ok markus@ OpenBSD-Commit-ID: 187931dfc19d51873df5930a04f2d972adf1f7f1
* upstream: add a RequiredRSASize for checking RSA key length indjm@openbsd.org2022-09-176-17/+67
| | | | | | | | | | | ssh(1). User authentication keys that fall beneath this limit will be ignored. If a host presents a host key beneath this limit then the connection will be terminated (unfortunately there are no fallbacks in the protocol for host authentication). feedback deraadt, Dmitry Belyavskiy; ok markus@ OpenBSD-Commit-ID: 430e339b2a79fa9ecc63f2837b06fdd88a7da13a
* upstream: Add a sshkey_check_rsa_length() call for checking thedjm@openbsd.org2022-09-172-11/+18
| | | | | | length of an RSA key; ok markus@ OpenBSD-Commit-ID: de77cd5b11594297eda82edc594b0d32b8535134
* upstream: actually hook up restrict_websafe; the command-line flagdjm@openbsd.org2022-09-171-2/+3
| | | | | | was never actually used. Spotted by Matthew Garrett OpenBSD-Commit-ID: 0b363518ac4c2819dbaa3dfad4028633ab9cdff1
* upstream: correct error valuedjm@openbsd.org2022-09-171-2/+2
| | | | OpenBSD-Commit-ID: 780efcbad76281f11f14b2a5ff04eb6db3dfdad4
* upstream: sftp: Be a bit more clever about completionsdjm@openbsd.org2022-09-161-46/+69
| | | | | | | | | | | | | | | There are commands (e.g. "get" or "put") that accept two arguments, a local path and a remote path. However, the way current completion is written doesn't take this distinction into account and always completes remote or local paths. By expanding CMD struct and "cmds" array this distinction can be reflected and with small adjustment to completer code the correct path can be completed. By Michal Privoznik, ok dtucker@ OpenBSD-Commit-ID: 1396d921c4eb1befd531f5c4a8ab47e7a74b610b
* upstream: sftp: Don't attempt to complete arguments fordjm@openbsd.org2022-09-161-2/+2
| | | | | | | | | | | | non-existent commands If user entered a non-existent command (e.g. because they made a typo) there is no point in trying to complete its arguments. Skip calling complete_match() if that's the case. From Michal Privoznik OpenBSD-Commit-ID: cf39c811a68cde2aeb98fc85addea4000ef6b07a
* upstream: sk_enroll: never drop SSH_SK_USER_VERIFICATION_REQD flagdjm@openbsd.org2022-09-141-9/+1
| | | | | | | | | | | | | from response Now that all FIDO signing calls attempt first without PIN and then fall back to trying PIN only if that attempt fails, we can remove the hack^wtrick that removed the UV flag from the keys returned during enroll. By Corinna Vinschen OpenBSD-Commit-ID: 684517608c8491503bf80cd175425f0178d91d7f
* upstream: a little extra debuggingdjm@openbsd.org2022-09-141-1/+2
| | | | OpenBSD-Commit-ID: edf1601c1d0905f6da4c713f4d9cecc7d1c0295a
* upstream: ssh-agent: attempt FIDO key signing without PIN and usedjm@openbsd.org2022-09-141-11/+2
| | | | | | | the error to determine whether a PIN is required and prompt only if necessary. from Corinna Vinschen OpenBSD-Commit-ID: dd6be6a0b7148608e834ee737c3479b3270b00dd
* upstream: .Li -> .Vt where appropriate; from josiah frentsos,jmc@openbsd.org2022-09-141-3/+3
| | | | | | | | tweaked by schwarze ok schwarze OpenBSD-Commit-ID: 565046e3ce68b46c2f440a93d67c2a92726de8ed
* upstream: fix repeated words ok miod@ jmc@jsg@openbsd.org2022-09-141-3/+3
| | | | OpenBSD-Commit-ID: 6765daefe26a6b648cc15cadbbe337596af709b7
* upstream: notifier_complete(NULL, ...) is a noop, so no need to testdjm@openbsd.org2022-09-091-5/+3
| | | | | | that ctx!=NULL; from Corinna Vinschen OpenBSD-Commit-ID: ade2f2e9cc519d01a586800c25621d910bce384a
* openbsd-compat/bsd-asprintf: add <stdio.h> include for vsnprintfSam James2022-09-081-0/+1
| | | | | | | | | | | | | Fixes the following build failure with Clang 15 on musl: ``` bsd-asprintf.c:51:8: error: call to undeclared library function 'vsnprintf' with type 'int (char *, unsigned long, const char *, struct __va_list_tag *)'; ISO C99 and laterclang -O2 -pipe -fdiagnostics-color=always -frecord-gcc-switches -pipe -Wunknown-warning-option -Qunused-arguments -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -Wmisleading-indentation -Wbitwise-instead-of-logical -fno-strict-aliasing -mretpoline -ftrapv -fzero-call-used-regs=all -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/misc/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/misc/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/misc/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/misc/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/lib/misc/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c cipher-aes.c -o cipher-aes.o do not support implicit function declarations [-Wimplicit-function-declaration] ret = vsnprintf(string, INIT_SZ, fmt, ap2); ^ bsd-asprintf.c:51:8: note: include the header <stdio.h> or explicitly provide a declaration for 'vsnprintf' 1 error generated. ```
* Remove DEF_WEAK, it's already in defines.h.Darren Tucker2022-09-021-2/+0
|
* Resync arc4random with OpenBSD.Darren Tucker2022-09-023-108/+175
| | | | | | | This brings us up to current, including djm's random-reseeding change, as prompted by logan at cyberstorm.mu in bz#3467. It brings the platform-specific hooks from LibreSSL Portable, simplified to match our use case. ok djm@.
* Move OPENBSD ORIGINAL marker.Darren Tucker2022-09-021-2/+2
| | | | | | Putting this after the copyright statement (which doesn't change) instead of before the version identifier (which does) prevents merge conflicts when resyncing changes.
* Remove arc4random_uniform from arc4random.cDarren Tucker2022-09-021-38/+0
| | | | | This was previously moved into its own file (matching OpenBSD) which prematurely committed in commit 73541f2.
* upstream: sk-usbhid: fix key_lookup() on tokens with built-in UVdjm@openbsd.org2022-09-021-2/+11
| | | | | | | explicitly test whether the token performs built-in UV (e.g. biometric tokens) and enable UV in that case. From Pedro Martelletto via GHPR#388 OpenBSD-Commit-ID: 007eb7e387d27cf3029ab06b88224e03eca62ccd
* Move sftp from valgrind-2 to 3 to rebalance.Darren Tucker2022-08-311-2/+2
|
* upstream: whitespacedjm@openbsd.org2022-08-311-2/+2
| | | | OpenBSD-Commit-ID: c2bcbf93610d3d62ed206cdf9bf9ff98c6aaf232
* additional keysDamien Miller2022-08-292-13/+16
|
* cross-sign allowed_signers with PGP keyDamien Miller2022-08-291-0/+16
| | | | | | Provides continuity of trust from legacy PGP release key to the SSHSIG signing keys that we will use henceforth for git signing.
* Add libcrypt-devel to cygwin-release deps.Darren Tucker2022-08-271-1/+1
| | | | Based on feedback from vinschen at redhat.com.
* Add Windows 2022 test targets.Darren Tucker2022-08-271-3/+4
|
* Add cygwin-release test target.Darren Tucker2022-08-263-13/+37
| | | | | | This also moves the cygwin package install from the workflow file to setup_ci.sh so that we can install different sets of Cygwin packages for different test configs.
* upstream: whitespacedjm@openbsd.org2022-08-261-2/+2
| | | | OpenBSD-Commit-ID: a5d015efbfd228dc598ffdef612d2da3a579e5d8
* upstream: whitespacedjm@openbsd.org2022-08-261-4/+4
| | | | OpenBSD-Commit-ID: d297e4387935d4aef091c5e9432578c2e513f538
* initial list of allowed signersDamien Miller2022-08-261-0/+2
|
* Install Cygwin packages based on OS not config.Darren Tucker2022-08-191-2/+2
|
* upstream: attemp FIDO key signing without PIN and use the errordjm@openbsd.org2022-08-191-22/+20
| | | | | | | code returned to fall back only if necessary. Avoids PIN prompts for FIDO tokens that don't require them; part of GHPR#302 OpenBSD-Commit-ID: 4f752aaf9f2e7c28bcaaf3d4f8fc290131bd038e
* upstream: remove incorrect check that can break enrolling adjm@openbsd.org2022-08-191-5/+1
| | | | | | resident key (introduced in r1.40) OpenBSD-Commit-ID: 4cab364d518470e29e624af3d3f9ffa9c92b6f01
* upstream: Strictly enforce the maximum allowed SSH2 banner size indtucker@openbsd.org2022-08-191-1/+15
| | | | | | | ssh-keyscan and prevent a one-byte buffer overflow. Patch from Qualys, ok djm@ OpenBSD-Commit-ID: 6ae664f9f4db6e8a0589425f74cd0bbf3aeef4e4
* Fix cygwin conditional steps.Darren Tucker2022-08-191-2/+2
|
* Add a bit more debug output.Darren Tucker2022-08-191-0/+2
|
* Add Cygwin (on windows-2019) test target.Darren Tucker2022-08-193-7/+25
| | | | | | In addition to installing the requisite Cygwin packages, we also need to explicitly invoke "sh" for steps that run other scripts since the runner environment doesn't understand #! paths.
* upstream: double free() in error path; from Eusgor via GHPR333djm@openbsd.org2022-08-191-3/+4
| | | | OpenBSD-Commit-ID: 39f35e16ba878c8d02b4d01d8826d9b321be26d4
* Check for perms to run agent-getpeereid test.Darren Tucker2022-08-181-1/+11
| | | | | | Ubuntu 22.04 defaults to private home dirs which prevents "nobody" running ssh-add during the agent-getpeereid test. Check for this and add the necessary permissions.
* on Cygwin, prefer WinHello FIDO deviceDamien Miller2022-08-171-0/+4
| | | | | | | If no FIDO device was explictly specified, then prefer the windows://hello FIDO device. An exception to this is when probing resident FIDO keys, in which case hardware FIDO devices are preferred.
* upstream: add an extra flag to sk_probe() to indicate whether we'redjm@openbsd.org2022-08-171-6/+6
| | | | | | | probing for a FIDO resident key or not. Unused here, but will make like easier for portable OpenBSD-Commit-ID: 432c8ff70e270378df9dbceb9bdeaa5b43b5a832
* upstream: use .Cm for "sign"; from josiah frentsosjmc@openbsd.org2022-08-171-3/+3
| | | | OpenBSD-Commit-ID: 7f80a53d54857ac6ae49ea6ad93c5bd12231d1e4
* Revert "check_sk_options: add temporary WinHello workaround"Corinna Vinschen2022-08-121-9/+0
| | | | | | | | | Cygwin now comes with libfido2 1.11.0, so this workaround isn't required anymore. This reverts commit 242c044ab111a37aad3b0775727c36a4c5f0102c. Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
* fido_dev_is_winhello: return 0, not "false"Corinna Vinschen2022-08-121-1/+1
| | | | | | | "false" is not used anywhere in OpenSSH, so return 0 like everywhere else. Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
* upstream: sftp-server: support home-directory requestdjm@openbsd.org2022-08-122-2/+51
| | | | | | | | | | | Add support to the sftp-server for the home-directory extension defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing expand-path@openssh.com, but uses a more official protocol name, and so is a bit more likely to be implemented by non-OpenSSH clients. From Mike Frysinger, ok dtucker@ OpenBSD-Commit-ID: bfc580d05cc0c817831ae7ecbac4a481c23566ab
* Replace deprecated ubuntu-18.04 runners with 22.04Darren Tucker2022-08-121-9/+9
|
* Add a timegm implementation from Heimdal via Samba.Darren Tucker2022-08-115-0/+89
| | | | Fixes build on (at least Solaris 10).
* Rerun tests if any .github config file changes.Darren Tucker2022-08-113-4/+4
|
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-19 00:17:30 +0100