Prevent excessively long username going to PAM.

This is a mitigation for a buffer overflow in Solaris' PAM username
handling (CVE-2020-14871), and is only enabled for Sun-derived PAM

Prevent excessively long username going to PAM.

This is a mitigation for a buffer overflow in Solaris' PAM username
handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
implementations. This is not a problem in sshd itself, it only
prevents sshd from being used as a vector to attack Solaris' PAM.
It does not prevent the bug in PAM from being exploited via some other
PAM application.

Based on github PR#212 from Mike Scott but implemented slightly
differently. ok tim@ djm@

show more ...

upstream: unbreak; missing NULL check

OpenBSD-Commit-ID: 6613dfab488123f454d348ef496824476b8c11c0

upstream: when requesting a security key touch on stderr, inform the

user once the touch has been recorded; requested by claudio@ ok markus@

OpenBSD-Commit-ID: 3b76ee444490e546b9ea7

upstream: when requesting a security key touch on stderr, inform the

user once the touch has been recorded; requested by claudio@ ok markus@

OpenBSD-Commit-ID: 3b76ee444490e546b9ea7f879e4092ee0d256233

show more ...

Remove preprocessor directive from log macro calls.

Preprocessor directives inside macro calls, such as the new log macros,
are undefined behaviour and do not work with, eg old GCCs. Pu

Remove preprocessor directive from log macro calls.

Preprocessor directives inside macro calls, such as the new log macros,
are undefined behaviour and do not work with, eg old GCCs. Put the
entire log call inside the ifdef for OPENSSL_HAS_NISTP521.

show more ...

upstream: Add a comment documenting the source of the moduli group

sizes.

OpenBSD-Commit-ID: aec0725ce607630caaa62682624c6763b350391c

upstream: Replace WITH_OPENSSL ifdefs in log calls with a macro.

The log calls are themselves now macros, and preprocessor directives inside
macro arguments are undefined behaviour which

upstream: Replace WITH_OPENSSL ifdefs in log calls with a macro.

The log calls are themselves now macros, and preprocessor directives inside
macro arguments are undefined behaviour which some compilers (eg old GCCs)
choke on. It also makes the code tidier. ok deraadt@

OpenBSD-Commit-ID: cc12a9029833d222043aecd252d654965c351a69

show more ...

Fix function body for variadic macro test.

AC_LANG_PROGRAM puts its second argument inside main() so we don't need
to do it ourselves.

Remove AC_PROC_CC_C99 obsoleted in autoconf 2.70.

Since we only use it to make sure we can handle variadic macros,
explicitly check only for that. with & ok djm@

Replace AC_TRY_COMPILE obsoleted in autoconf 2.70.

Replace with the equivalent AC_COMPILE_IFELSE.

Move AC_PROG_CC_C99 to immediately afer AC_PROG_CC.

This puts the related C version selection output in the same place.

AC_CHECK_HEADER() is obsoleted in autoconf 2.70.

Replace with the non-obsoleted AC_CHECK_HEADERS().

upstream: fold consecutive '*' wildcards to mitigate combinatorial

explosion of recursive searches; ok dtucker

OpenBSD-Commit-ID: d18bcb39c40fb8a1ab61153db987e7d11dd3792b

upstream: print reason in fatal error message when

kex_assemble_namelist() fails

OpenBSD-Commit-ID: a9975ee8db6c98d6f32233d88051b2077ca63dab

upstream: fix sshd_config SetEnv directive inside Match blocks; part of

github PR#201 from github user manuelm

OpenBSD-Commit-ID: 9772e3748abff3ad65ae8fc43d026ed569b1d2bc

upstream: fix type of nid in type_bits_valid(); github PR#202 from

github user thingsconnected

OpenBSD-Commit-ID: 769d2b040dec7ab32d323daf54b854dd5dcb5485

upstream: whitespace; no code change

OpenBSD-Commit-ID: efefc1c47e880887bdee8cd2127ca93177eaad79

upstream: UpdateHostkeys: fixed/better detection of host keys that

exist under other names and addresses; spotted by and debugged with lots of
help from jca@

OpenBSD-Commit-ID:

upstream: UpdateHostkeys: fixed/better detection of host keys that

exist under other names and addresses; spotted by and debugged with lots of
help from jca@

OpenBSD-Commit-ID: 5113d7f550bbd48243db1705afbf16b63792d4b7

show more ...

session.c: use "denylist" terminology

Follow upstream (6d755706a0059eb9e2d63517f288b75cbc3b4701) language
improvements in this portable-specific code.

Remove checks for strict POSIX mkdtemp()

We needed a mkdtemp() that accepted template paths that did not
end in XXXXXX a long time ago for KRB4, but that code is long
deprecated. We

Remove checks for strict POSIX mkdtemp()

We needed a mkdtemp() that accepted template paths that did not
end in XXXXXX a long time ago for KRB4, but that code is long
deprecated. We no longer need to replace mkdtemp() for strictly
following POSIX. ok dtucker@

show more ...

upstream: Minor man page fixes (capitalization, commas) identified by

the manpage-l10n project via bz#3223. feedback deraadt@, ok jmc@

OpenBSD-Commit-ID: ab83af0daf18369244a72daaec

upstream: Minor man page fixes (capitalization, commas) identified by

the manpage-l10n project via bz#3223. feedback deraadt@, ok jmc@

OpenBSD-Commit-ID: ab83af0daf18369244a72daaec6c4a58a9eb7e2c

show more ...

upstream: Adapt XMSS to new logging infrastructure. With markus@, ok

djm@.

OpenBSD-Commit-ID: 9c35ec3aa0f710e4e3325187ceff4fa3791686de

upstream: fix SEGV on fatal() errors spotted by dtucker@

OpenBSD-Commit-ID: 75f155a1ac61e364ed00dc379e2c42df81067ce2

Use fatal_fr not fatal_r when passing r.

Caught by the PAM -Werror tinderbox build.

upstream: use the new variant log macros instead of prepending

__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8

upstream: variants of the log methods that append a ssherr.h string

from a supplied error code; ok markus@

OpenBSD-Commit-ID: aed98c4435d48d036ae6740300f6a8357b7cc0bf