upstream: make IPTOS_DSCP_LE available via IPQoS directive; bz2986,

based on patch by veegish AT cyberstorm.mu

OpenBSD-Commit-ID: 9902bf4fbb4ea51de2193ac2b1d965bc5d99c425

upstream: add xextendf() to extend a string with a format

(reallocating as necessary). ok aja@ as part of a larger diff

OpenBSD-Commit-ID: 30796b50d330b3e0e201747fe40cdf9aa70a77f9

upstream: Replace all calls to signal(2) with a wrapper around

sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTA

upstream: Replace all calls to signal(2) with a wrapper around

sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which should reduce
the potential for short read/write operations.

OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519

show more ...

upstream: Wait for FD to be readable or writeable during a nonblocking

connect, not just readable. Prevents a timeout when the server doesn't
immediately send a banner (eg multiplexers

upstream: Wait for FD to be readable or writeable during a nonblocking

connect, not just readable. Prevents a timeout when the server doesn't
immediately send a banner (eg multiplexers like sslh) but is also slightly
quicker for other connections since, unlike ssh1, ssh2 doesn't specify
that the client should parse the server banner before sending its own.
Patch from mnissler@chromium.org, ok djm@

OpenBSD-Commit-ID: aba9cd8480d1d9dd31d0ca0422ea155c26c5df1d

show more ...

Wrap poll.h includes in HAVE_POLL_H.

upstream: move authorized_keys option parsing helpsers to misc.c

and make them public; ok markus@

OpenBSD-Commit-ID: c18bcb2a687227b3478377c981c2d56af2638ea2

upstream: move skip_space() to misc.c and make it public; ok

markus@

OpenBSD-Commit-ID: caa77e8a3b210948e29ad3e28c5db00852961eae

upstream: switch percent_expand() to use sshbuf instead of a limited

fixed buffer; ok markus@

OpenBSD-Commit-ID: 3f9ef20bca5ef5058b48c1cac67c53b9a1d15711

upstream: When system calls indicate an error they return -1, not

some arbitrary value < 0. errno is only updated in this case. Change all
(most?) callers of syscalls to follow this be

upstream: When system calls indicate an error they return -1, not

some arbitrary value < 0. errno is only updated in this case. Change all
(most?) callers of syscalls to follow this better, and let's see if this
strictness helps us in the future.

OpenBSD-Commit-ID: 48081f00db7518e3b712a49dca06efc2a5428075

show more ...

upstream: Some asprintf() calls were checked < 0, rather than the

precise == -1. ok millert nicm tb, etc

OpenBSD-Commit-ID: caecf8f57938685c04f125515b9f2806ad408d53

upstream: Remove support for obsolete host/port syntax.

host/port was added in 2001 as an alternative to host:port syntax for
the benefit of IPv6 users. These days there are establised

upstream: Remove support for obsolete host/port syntax.

host/port was added in 2001 as an alternative to host:port syntax for
the benefit of IPv6 users. These days there are establised standards
for this like [::1]:22 and the slash syntax is easily mistaken for CIDR
notation, which OpenSSH now supports for some things. Remove the slash
notation from ListenAddress and PermitOpen. bz#2335, patch from jjelen
at redhat.com, ok markus@

OpenBSD-Commit-ID: fae5f4e23c51a368d6b2d98376069ac2b10ad4b7

show more ...

upstream: move client/server SSH-* banners to buffers under

ssh->kex and factor out the banner exchange. This eliminates some common code
from the client and server.

Also be mor

upstream: move client/server SSH-* banners to buffers under

ssh->kex and factor out the banner exchange. This eliminates some common code
from the client and server.

Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).

Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@

OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b

show more ...

upstream: Fix calculation of initial bandwidth limits. Account for

written bytes before the initial timer check so that the first buffer written
is accounted. Set the threshold after wh

upstream: Fix calculation of initial bandwidth limits. Account for

written bytes before the initial timer check so that the first buffer written
is accounted. Set the threshold after which the timer is checked such that
the limit starts being computed as soon as possible, ie after the second
buffer is written. This prevents an initial burst of traffic and provides a
more accurate bandwidth limit. bz#2927, ok djm.

OpenBSD-Commit-ID: ff3ef76e4e43040ec198c2718d5682c36b255cb6

show more ...

upstream: use path_absolute() for pathname checks; from Manoj Ampalam

OpenBSD-Commit-ID: 482ce71a5ea5c5f3bc4d00fd719481a6a584d925

upstream: Support using service names for port numbers.

* Try to resolve a port specification with getservbyname(3) if a
numeric conversion fails.
* Make the "Port" option in ssh_co

upstream: Support using service names for port numbers.

* Try to resolve a port specification with getservbyname(3) if a
numeric conversion fails.
* Make the "Port" option in ssh_config handle its argument as a
port rather than a plain integer.

ok dtucker@ deraadt@

OpenBSD-Commit-ID: e7f03633133205ab3dfbc67f9df7475fabae660d

show more ...

upstream: Allow ssh_config IdentityAgent directive to accept

environment variable names as well as explicit paths. ok dtucker@

OpenBSD-Commit-ID: 2f0996e103876c53d8c9dd51dcce9889d70

upstream: Allow ssh_config IdentityAgent directive to accept

environment variable names as well as explicit paths. ok dtucker@

OpenBSD-Commit-ID: 2f0996e103876c53d8c9dd51dcce9889d700767b

show more ...

upstream: Remove uid checks from low port binds. Now that ssh

cannot be setuid and sshd always has privsep on, we can remove the uid checks
for low port binds and just let the system do

upstream: Remove uid checks from low port binds. Now that ssh

cannot be setuid and sshd always has privsep on, we can remove the uid checks
for low port binds and just let the system do the check. We leave a sanity
check for the !privsep case so long as the code is stil there. with & ok
djm@

OpenBSD-Commit-ID: 9535cfdbd1cd54486fdbedfaee44ce4367ec7ca0

show more ...

upstream: Remove support for running ssh(1) setuid and fatal if

attempted. Do not link uidwap.c into ssh any more. Neuters
UsePrivilegedPort, which will be marked as deprecated shortly.

upstream: Remove support for running ssh(1) setuid and fatal if

attempted. Do not link uidwap.c into ssh any more. Neuters
UsePrivilegedPort, which will be marked as deprecated shortly. ok markus@
djm@

OpenBSD-Commit-ID: c4ba5bf9c096f57a6ed15b713a1d7e9e2e373c42

show more ...

upstream: add a SetEnv directive to ssh_config that allows setting

environment variables for the remote session (subject to the server accepting
them)

refactor SendEnv to remove

upstream: add a SetEnv directive to ssh_config that allows setting

environment variables for the remote session (subject to the server accepting
them)

refactor SendEnv to remove the arbitrary limit of variable names.

ok markus@

OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be

show more ...

upstream: switch config file parsing to getline(3) as this avoids

static limits noted by gerhard@; ok dtucker@, djm@

OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c

upstream: add valid-before="[time]" authorized_keys option. A

simple way of giving a key an expiry date. ok markus@

OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947

upstream: revert recent strdelim() change, it causes problems with

some configs.

revision 1.124
date: 2018/03/02 03:02:11; author: djm; state: Exp; lines: +19 -8; commitid:

upstream: revert recent strdelim() change, it causes problems with

some configs.

revision 1.124
date: 2018/03/02 03:02:11; author: djm; state: Exp; lines: +19 -8; commitid: nNRsCijZiGG6SUTT;
Allow escaped quotes \" and \' in ssh_config and sshd_config quotes
option strings. bz#1596 ok markus@

OpenBSD-Commit-ID: 59c40b1b81206d713c06b49d8477402c86babda5

show more ...

upstream: switch over to the new authorized_keys options API and

remove the legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file li

upstream: switch over to the new authorized_keys options API and

remove the legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df

show more ...

upstream: Allow escaped quotes \" and \' in ssh_config and

sshd_config quotes option strings. bz#1596 ok markus@

OpenBSD-Commit-ID: dd3a29fc2dc905e8780198e5a6a30b096de1a1cb

upstream commit

move subprocess() so scp/sftp do not need uidswap.o; ok
djm@

OpenBSD-Commit-ID: 6601b8360388542c2e5fef0f4085f8e54750bea8