| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Fix VNET kernel panic with asynchronous I/O. [EN-17:07]
Fix pf(4) housekeeping thread causes kernel panic. [EN-17:08]
Approved by: so
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adjust notification points slightly to catch all auth failures, rather
than just the ones caused by bad usernames. Modify notification point
for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in
libblacklist will be forthcoming soon.) Add guards to allow library
headers to expose the enum of action values.
Reviewed by: des
Relnotes: yes
Sponsored by: The FreeBSD Foundation
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Only notify blacklistd for successful logins in auth.c
Before this change, every pass through auth.c resulted in a
call to blacklist_notify().
In a normal remote login, there would be a failed login flagged for
the printing of the "xxx login:" prompt, before the remote user
could enter a password.
If the user successfully entered a good password, then a good login
would be flagged, and everything would be OK.
If the user entered an incorrect password, there would be another
failed login flagged in auth1.c (or auth2.c) for the actual bad
password attempt. Finally, when sshd got around to issuing the
second "xxx login:" prompt, there would be yet another failed login
notice sent to blacklistd.
So, if there was a 3 bad logins limit set (the default), the system
would actually block the address after the first bad password attempt.
Reported by: Rick Adams
Reviewed by: des
Sponsored by: The FreeBSD Foundation
|
|
|
|
|
|
|
|
|
|
| |
Conditionalize building libwrap support into sshd
Only build libwrap support into sshd if MK_TCP_WRAPPERS != no
This will unbreak the build if libwrap has been removed from the system
PR: 210141
|
|
|
|
|
|
|
| |
Fix multiple OpenSSH vulnerabilities.
Submitted by: des
Approved by: so
|
|
|
|
|
|
| |
Fix OpenSSH remote Denial of Service vulnerability.
Security: CVE-2016-8858
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change the calls to of blacklist_init() and blacklist_notify to be
macros defined in the blacklist_client.h file. This avoids
the need for #ifdef USE_BLACKLIST / #endif except in the
blacklist.c file.
Remove redundent initialization attempts from within
blacklist_notify - everything always goes through
blacklistd_init().
Added UseBlacklist option to sshd, which defaults to off.
To enable the functionality, use '-o UseBlacklist=yes' on
the command line, or uncomment in the sshd_config file.
Approved by: des
Sponsored by: The FreeBSD Foundation
|
|
|
|
|
| |
PR: 208254
Approved by: re (kib)
|
|
|
|
|
|
| |
PR: 208254
Approved by: re (gjb)
Relnotes: yes
|
|
|
|
|
|
|
|
|
|
| |
This change has functional impact, and other concerns raised
by the OpenSSH maintainer.
Requested by: des
PR: 210479 (related)
Approved by: re (marius)
Sponsored by: The FreeBSD Foundation
|
|
|
|
|
|
|
|
| |
Reviewed by: rpaulo
Approved by: rpaulo (earlier version of changes)
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D5915
|
|
|
|
| |
PR: 207679
|
|\ |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
(should have done this in r291198, but didn't think of it until now)
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
Noticed by: glebius
|
| |
| |
| |
| | |
environment that has OpenSSL from ports in addition to the base version.
|
| |
| |
| |
| | |
modifications, and add them to two files in which we do.
|
| |
| |
| |
| |
| | |
they are never regenerated to reflect our changes) or in the way of
freebsd-configure.sh.
|
| | |
|
|\ \
| |/ |
|
| |
| |
| |
| |
| | |
existing configurations that use them. Note that there is no functional
difference between OpenSSH with HPN and OpenSSH without HPN.
|
|\ \
| |/ |
|
| |
| |
| |
| | |
autoheader and autoconf to avoid having to patch configure manually.
|
|\ \
| |/
| |
| |
| |
| | |
upstream) and a number of security fixes which we had already backported.
MFC after: 1 week
|
| | |
|
| |
| |
| |
| | |
and {ssh,sshd}_config.
|
| | |
|
| |
| |
| |
| |
| | |
cleanup. A round-trip (./freebsd-pre-merge.sh ; ./freebsd-post-merge.sh)
now results in an unchanged working copy.
|
| |
| |
| |
| |
| | |
Security: SA-16:07.openssh
Security: CVE-2016-0777
|
| |
| |
| |
| |
| |
| | |
PR: 204769
Submitted by: David Binderman <dcb314@hotmail.com>
MFC after: 1 week
|
| |
| |
| |
| | |
of ssh-askpass and xauth, breaking X11 forwarding.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
there is (currently) no way to make Subversion generate correct $Mdocdate$
tags, but perhas we can teach mandoc to read Subversion's %d format.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
from OpenSSH-portable master.
Git revisions: 45b0eb752c94954a6de046bfaaf129e518ad4b5b
5e75f5198769056089fb06c4d738ab0e5abc66f7
d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
Reviewed by: des
Security: FreeBSD-SA-15:22.openssh
|
| |
| |
| |
| |
| |
| | |
Security: CVE-2014-2653
Security: CVE-2015-5600
Security: FreeBSD-SA-15:16.openssh
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Re-apply r99054 by des in 2002. This was accidentally dropped
by the update to OpenSSH 6.5p1 (r261320).
This change is actually taken from r387082 of
ports/security/openssh-portable/files/patch-ssh.c
PR: 198043
Differential Revision: https://reviews.freebsd.org/D3103
Reviewed by: des
Approved by: kib (mentor)
MFC after: 3 days
Relnotes: yes
Sponsored by: Dell Inc.
|
| |
| |
| |
| |
| |
| | |
the current set, it is good hygiene to change them once in a while.
MFC after: 1 week
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The use of CHAN_TCP_WINDOW_DEFAULT here was fixed in upstream OpenSSH
in CVS 1.4810, git 5baa170d771de9e95cf30b4c469ece684244cf3e:
- dtucker@cvs.openbsd.org 2007/12/28 22:34:47
[clientloop.c]
Use the correct packet maximum sizes for remote port and agent forwarding.
Prevents the server from killing the connection if too much data is queued
and an excessively large packet gets sent. bz #1360, ok djm@.
The change was lost due to the the way the original upstream HPN patch
modified this code. It was re-adding the original OpenSSH code and never
was properly fixed to use the new value.
MFC after: 2 weeks
|
| |
| |
| |
| |
| | |
PR: 193127
MFC after: 2 weeks
|