| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
MFH (r296633): upgrade to 7.2p2 (fixes xauth command injection bug)
MFH (r296634): re-add aes-cbc to server-side default cipher list
MFH (r296651, r296657): fix gcc build of pam_ssh
PR: 207679
Security: CVE-2016-3115
Approved by: re (marius)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MFH (r285975, r287143): register mergeinfo for security fixes
MFH (r294497, r294498, r295139): internal documentation
MFH (r294328): upgrade to openssh 6.7p1, re-add libwrap
MFH (r294332): upgrade to openssh 6.8p1
MFH (r294367): update pam_ssh for api changes
MFH (r294909): switch usedns back on
MFH (r294336): upgrade to openssh 6.9p1
MFH (r294495): re-enable dsa keys
MFH (r294464): upgrade to openssh 7.0p1
MFH (r294496): upgrade to openssh 7.1p2
Approved by: re (gjb)
Relnotes: yes
|
| |
|
|
| |
Remove the HPN and None cipher patches.
|
| |
|
|
|
|
| |
r294320, r294322, r294324, r294330, r294469, r294494, r294466)
Reduce diffs to head in preparation for removing HPN and None.
|
| | |
|
| |
|
|
| |
MFH (r264308): restore p level in debugging output
|
| |
|
|
| |
MFH (r261340): enable sandboxing by default
|
| |
|
|
|
|
|
|
|
| |
repeat performance by introducing a script that runs configure with and
without Kerberos, diffs the result and generates krb5_config.h, which
contains the preprocessor macros that need to be defined in the Kerberos
case and undefined otherwise.
Approved by: re (marius)
|
| |\
| |
| |
| | |
Approved by: re (gjb)
|
| |\ \
| |/
| |
| | |
for a key revocation list and more fine-grained authentication control.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prior to this, setting VersionAddendum will be a no-op: one will
always have BASE_VERSION + " " + VERSION_HPN for VersionAddendum
set in the config and a bare BASE_VERSION + VERSION_HPN when there
is no VersionAddendum is set.
HPN patch requires both parties to have the "hpn" inside their
advertized versions, so we add VERSION_HPN to the VERSION_BASE
if HPN is enabled and omitting it if HPN is disabled.
VersionAddendum now uses the following logics:
* unset (default value): append " " and VERSION_ADDENDUM;
* VersionAddendum is set and isn't empty: append " "
and VersionAddendum;
* VersionAddendum is set and empty: don't append anything.
Approved by: des
Reviewed by: bz
MFC after: 3 days
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Revert unneeded whitespace changes.
- Revert modifications to loginrec.c, as the upstream version already
does the right thing.
- Fix indentation and whitespace of local changes.
Approved by: des
MFC after: 1 month
|
| |\ \
| |/
| |
| | |
MFC after: 3 months
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or
trans-continental links). Bandwidth-delay products up to 64MB are
supported.
Also add support (not compiled by default) for the None cypher. The
None cypher can only be enabled on non-interactive sessions (those
without a pty where -T was not used) and must be enabled in both
the client and server configuration files and on the client command
line. Additionally, the None cypher will only be activated after
authentication is complete. To enable the None cypher you must add
-DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in
/etc/make.conf.
This code is a style(9) compliant version of these features extracted
from the patches published at:
http://www.psc.edu/networking/projects/hpn-ssh/
Merging this patch has been a collaboration between me and Bjoern.
Reviewed by: bz
Approved by: re (kib), des (maintainer)
|
| |\ \
| |/ |
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
of short-living parent. Only mark the master process that accepts
connections, do not protect connection handlers spawned from inetd.
Submitted by: Mykola Dzham <i levsha me>
Reviewed by: attilio
MFC after: 1 week
|
| |\ \
| |/
| |
| | |
MFC after: 1 month
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Partially revert r184122 (sshd.c). Our ut_host is now big enough to
fit proper hostnames.
- Change config.h to match reality.
- defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows
the utmpx code to work. This makes no sense to me. I've already
mentioned this upstream.
- Add our own platform-specific handling of lastlog. The version I will
send to the OpenSSH folks will use proper autoconf generated
definitions instead of `#if 1'.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
environments.
Please note that this can't be done while such processes run in jails.
Note: in future it would be interesting to find a way to do that
selectively for any desired proccess (choosen by user himself), probabilly
via a ptrace interface or whatever.
Obtained from: Sandvine Incorporated
Reviewed by: emaste, arch@
Sponsored by: Sandvine Incorporated
MFC: 1 month
|
| |\ \
| |/ |
|
| |\ \
| |/
| |
| | |
MFC after: 3 months
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
in the struct utmp due to concerns about the length of the hostname buffer.
However, this breaks the UseDNS option. There is a simpler and better
solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of
MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the
buffer.
PR: bin/97499
Submitted by: Bruce Cran <bruce@cran.org.uk>
MFC after: 1 week
|
| |\ \
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
I have worked hard to reduce diffs against the vendor branch. One
notable change in that respect is that we no longer prefer DSA over
RSA - the reasons for doing so went away years ago. This may cause
some surprises, as ssh will warn about unknown host keys even for
hosts whose keys haven't changed.
MFC after: 6 weeks
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
Happy birthday to: rwatson
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
Obtained from: OpenBSD
|
| | | |
|
| | | |
|
