Lines Matching refs:upstream

23     upstream: openssh-9.1
31 upstream: Fix typo. From AlexanderStohr via github PR#343.
39 upstream: add RequiredRSASize to the list of keywords accepted by
63 upstream: use users-groups-by-id@openssh.com sftp-server extension
74 upstream: sftp client library support for
84 upstream: extend sftp-common.c:extend ls_file() to support supplied
94 upstream: sftp-server(8): add a "users-groups-by-id@openssh.com"
110 upstream: better debugging for connect_next()
118 upstream: Add RequiredRSASize for sshd(8); RSA keys that fall
130 upstream: add a RequiredRSASize for checking RSA key length in
145 upstream: Add a sshkey_check_rsa_length() call for checking the
155 upstream: actually hook up restrict_websafe; the command-line flag
165 upstream: correct error value
173 upstream: sftp: Be a bit more clever about completions
192 upstream: sftp: Don't attempt to complete arguments for
208 upstream: sk_enroll: never drop SSH_SK_USER_VERIFICATION_REQD flag
225 upstream: a little extra debugging
233 upstream: ssh-agent: attempt FIDO key signing without PIN and use
244 upstream: .Li -> .Vt where appropriate; from josiah frentsos,
256 upstream: fix repeated words ok miod@ jmc@
264 upstream: notifier_complete(NULL, ...) is a noop, so no need to test
327 upstream: sk-usbhid: fix key_lookup() on tokens with built-in UV
344 upstream: whitespace
392 upstream: whitespace
400 upstream: whitespace
420 upstream: attemp FIDO key signing without PIN and use the error
431 upstream: remove incorrect check that can break enrolling a
441 upstream: Strictly enforce the maximum allowed SSH2 banner size in
474 upstream: double free() in error path; from Eusgor via GHPR333
503 upstream: add an extra flag to sk_probe() to indicate whether we're
514 upstream: use .Cm for "sign"; from josiah frentsos
546 upstream: sftp-server: support home-directory request
594 upstream: add some tests for parse_absolute_time(), including cases
604 upstream: allow certificate validity intervals, sshsig verification
669 upstream: don't prompt for FIDO passphrase before attempting to enroll
733 upstream: avoid double-free in error path introduced in r1.70; report
821 upstream: Restore missing "!" in TEST_SSH_ELAPSED_TIMES test.
829 upstream: Test TEST_SSH_ELAPSED_TIMES for empty string not
866 upstream: ssh-keygen: fix touch prompt, pin retries;
876 upstream: sk-usbhid: preserve error code returned by key_lookup()
888 upstream: when enrolling a resident key on a security token, check
904 upstream: pull passphrase reading and confirmation into a separate
1058 upstream: Add TEST_REGRESS_CACHE_DIR.
1094 upstream: Remove leftover line.
1104 upstream: use consistent field names (s/char/byte)
1123 upstream: bump up loglevel from debug to info when unable to open
1133 upstream: Don't leak the strings allocated by order_hostkeyalgs()
1147 upstream: Always return allocated strings from the kex filtering so
1158 upstream: ignore SIGPIPE earlier in main(), specifically before
1169 upstream: reflect the update to -D arg name in usage();
1183 upstream: allow arguments to sftp -D option, e.g. sftp -D
1195 upstream: Roll back previous KEX changes as they aren't safe until
1206 upstream: Don't leak the strings allocated by order_hostkeyalgs()
1246 upstream: make it clear that RekeyLimit applies to both transmitted
1256 upstream: Make sure not to fclose() the same fd twice in case of an
1268 upstream: Don't attempt to fprintf a null identity comment. From
1278 upstream: Log an error if pipe() fails while accepting a
1308 upstream: make sure that UseDNS hostname lookup happens in the monitor
1319 upstream: move auth_openprincipals() and auth_openkeyfile() over to
1329 upstream: test setenv in both client and server, test first-match-wins
1339 upstream: Make SetEnv directives first-match-wins in both
1354 upstream: Add missing *-sk types to ssh-keyscan manpage. From
1364 upstream: Add period at end of "not known by any other names"
1374 upstream: ssh-keygen -A: do not generate DSA keys by default.
1385 upstream: ssh-keygen: implement "verify-required" certificate option.
1398 upstream: keywords ref ssh_config.5;
1435 upstream: split the low-level file handling functions out from
1451 upstream: refactor authorized_keys/principals handling
1465 upstream: f sshpkt functions fail, then password is not cleared
1478 upstream: Avoid kill with -1 argument. The out_ctx label can be
1491 upstream: Note that ProxyJump also accepts the same tokens as
1501 upstream: revert previous; it was broken (spotted by Theo)
1509 upstream: make SSHBUF_DBG/SSHBUF_TELL (off by default and only enabled
1527 upstream: regress test for in-place transfers and clobbering larger
1537 upstream: Only run agent-ptrace.sh if gdb is available as all
1547 upstream: fix in-place copies; r1.163 incorrectly skipped truncation in
1558 upstream: arrange for scp, when in sftp mode, to not ftruncate(3) files
1574 upstream: Remove errant apostrophe. From haruyama at queen-ml org.
1582 upstream: Allow existing -U (use agent) flag to work with "-Y sign"
1593 upstream: improve error message when 'ssh-keygen -Y sign' is unable to
1612 upstream: When performing operations that glob(3) a remote path, ensure
1629 Also retest OpenBSD upstream on .yml changes.
1649 upstream: sshkey_unshield_private() contains a exact duplicate of
1660 upstream: channel_new no longer frees remote_name. So update the
1671 upstream: mux.c: mark argument as const; from Martin Vahlensieck
1679 upstream: make sure stdout is non-blocking; ok djm@
1687 upstream: Add FIDO AUTHENTICATOR section and explain a bit how FIDO
1703 upstream: remove an obsolete rsa1 format example from an example;
1714 upstream: fix some integer overflows in sieve_large() that show up when
1725 upstream: be stricter in which characters will be accepted in
1756 upstream: mention that the helpers are used by ssh(1), ssh-agent(1)
1767 upstream: Don't leak SK device. Patch from Pedro Martelletto via
1777 upstream: fix memleak on session-bind path; from Pedro Martelletto, ok
1787 upstream: avoid printing hash algorithm twice; from lucas AT sexy.is
1795 upstream: Add authfd path to debug output. ok markus@
1803 upstream: Check sshauthopt_new() for NULL. bz#3425, from
1813 upstream: Remove unnecessary includes: openssl/hmac.h and
1823 upstream: Add missing includes of stdlib.h and stdint.h. We need
1835 upstream: Avoid an unnecessary xstrdup in rm_env() when matching
1876 upstream: It looks like we can't completely avoid
1887 upstream: Use ssh -f and ControlPersist ..
1898 upstream: Simplify forward-control test.
1910 upstream: regression test for sftp cp command
1918 upstream: Import regenerated moduli
1926 upstream: Try to continue running local I/O for channels in state
1938 upstream: Import regenerated moduli
1946 upstream: list the correct version number
1957 upstream: Correct path for system known hosts file in description
1967 Resync moduli.5 with upstream.
1985 upstream: clear io_want/io_ready flags at start of poll() cycle;
1996 upstream: Note that curve25519-sha256 was later published in
2006 upstream: two defensive changes from Tobias Stoeckmann via GHPR287
2046 upstream: openssh-9.0
2054 upstream: ssh: document sntrup761x25519-sha512@openssh.com as
2064 upstream: man pages: add missing commas between subordinate and
2148 upstream: add a sftp client "cp" command that supports server-side
2159 upstream: add support for the "corp-data" protocol extension to
2170 upstream: select post-quantum KEX
2180 upstream: fix poll() spin when a channel's output fd closes without
2191 upstream: ssh is almost out of getopt() characters; note the
2201 upstream: avoid NULL deref via ssh-keygen -Y find-principals.
2263 upstream: don't leak argument list; bz3404, reported by Balu
2273 upstream: make addargs() and replacearg() a little more robust and
2287 upstream: don't try to resolve ListenAddress directives in the sshd
2299 upstream: remove blank line
2307 upstream: helpful comment
2315 upstream: ssh-keygen -Y check-novalidate requires namespace or SEGV
2325 upstream: improve DEBUG_CHANNEL_POLL debugging message
2333 upstream: ssh: xstrdup(): use memcpy(3)
2383 upstream: pack pollfd array before server_accept_loop() ppoll()
2398 upstream: include rejected signature algorithm in error message and
2408 upstream: Remove the char * casts from arguments to do_lstat,
2419 upstream: save an unneccessary alloc/free, based on patch from
2515 upstream: free(3) wants stdlib.h
2523 upstream: put back the scp manpage changes for SFTP mode too
2531 upstream: and we go back to testing sftp-scp after the 8.9
2547 upstream: avoid integer overflow of auth attempts (harmless, caught
2557 upstream: randomise the password used in fakepw
2565 upstream: use asprintf to construct .rhosts paths
2573 upstream: openssh-8.9
2638 upstream: Aproximate realpath on the expected output by deduping
2670 upstream: check for EINTR/EAGAIN failures in the rfd fast-path; caught
2700 upstream: document the unbound/host-bound options to
2793 upstream: Always initialize delim before passing to hpdelim2 which
2824 upstream: Add test for empty hostname with port.
2832 upstream: Add unit tests for hpdelim.
2840 upstream: revert for imminent OpenSSH release, which wil ship with
2857 upstream: Switch hpdelim interface to accept only ":" as delimiter.
2883 upstream: use libfido2 1.8.0+ fido_assert_set_clientdata() instead
2894 upstream: remove please from manual pages ok jmc@ sthen@ millert@
2902 upstream: Since they are deprecated, move DSA to the end of the
2921 upstream: test 'ssh-keygen -Y find-principals' with wildcard
2931 upstream: Enable all supported ciphers and macs in the server
2942 upstream: allow 'ssh-keygen -Y find-principals' to match wildcard
2952 upstream: mark const string array contents const too, i.e. static
2962 upstream: better match legacy scp behaviour: show un-expanded paths
2972 upstream: Remove explicit kill of privsep preauth child's PID in
2985 upstream: When it's the possessive of 'it', it's spelled "its",
3006 upstream: add a ssh_packet_process_read() function that reads from
3024 upstream: Use sshbuf_read() to read directly into the channel input
3042 upstream: Add a sshbuf_read() that attempts to read(2) directly in
3052 upstream: add a helper for writing an error message to the
3063 upstream: correct comment and use local variable instead of long
3073 upstream: When poll(2) returns -1, for some error conditions
3140 Remove line leftover from upstream sync.
3146 upstream: when decompressing zlib compressed packets, use
3161 upstream: make most of the sftp errors more idiomatic, following
3171 upstream: when transferring multiple files in SFTP mode, create the
3182 upstream: allow pin-required FIDO keys to be added to ssh-agent(1).
3194 upstream: ssh-sk: free a resident key's user id
3204 upstream: sshsk_load_resident: don't preallocate resp
3217 upstream: sshsk_sign: trim call to sshkey_fingerprint()
3230 upstream: use status error message to communicate ~user expansion
3271 upstream: Set LC_ALL in both local and remote shells so that sorted
3281 upstream: Avoid %'s in commands (not used in OpenBSD, but used in
3297 upstream: Use egrep when searching for an anchored string.
3311 upstream: Don't log NULL hostname in restricted agent code,
3321 upstream: remove hardcoded domain and use window.location.host, so this
3331 upstream: "void" functions should not return anything. From Tim Rice
3341 upstream: suppress "Connection to xxx closed" messages at LogLevel >=
3386 upstream: Remove errant "set -x" left over from debugging.
3394 upstream: Enable all supported hostkey algorithms (but no others).
3404 upstream: use status error message to communicate ~user expansion
3416 upstream: fix some corner-case bugs in scp sftp-mode handling of
3426 upstream: more idiomatic error messages; spotted by jsg & deraadt
3436 upstream: add a variant of send_status() that allows overriding the
3446 upstream: refactor tilde_expand_filename() and make it handle ~user
3456 upstream: Don't explicitly set HostbasedAuthentication in
3467 upstream: Add test for hostbased auth. It requires some external
3484 upstream: allow hostbased auth to select RSA keys when only
3494 upstream: add a helper function to match a key type to a list of
3505 upstream: log some details on hostkeys that ssh loads for
3515 upstream: log signature algorithm during verification by monitor;
3525 upstream: piece of UpdateHostkeys client strictification: when
3536 upstream: include rejected signature algorithm in error message
3546 upstream: make ssh-keysign use the requested signature algorithm
3557 upstream: stricter UpdateHostkey signature verification logic on
3570 upstream: Fix signature algorithm selection logic for
3587 upstream: convert ssh, sshd mainloops from select() to poll();
3597 upstream: prepare for conversion of ssh, sshd mainloop from
3608 upstream: add a comment so I don't make this mistake again
3616 upstream: fix cut-and-pasto in error message
3624 upstream: select all RSA hostkey algorithms for UpdateHostkeys tests,
3634 upstream: regress test both sshsig message hash algorithms, possible
3644 upstream: allow selection of hash at sshsig signing time; code
3655 upstream: add missing -O option to usage() for ssh-keygen -Y sign;
3665 upstream: move sig_process_opts() to before sig_sign(); no
3675 upstream: regression test for find-principals NULL deref; from Fabian
3685 upstream: NULL deref when using find-principals when matching an
3696 upstream: Log command invocation while debugging.
3721 upstream: spelling
3729 upstream: unbreak test: was picking up system ssh-add instead of the
3740 upstream: fix memleak in process_extension(); oss-fuzz issue #42719
3748 upstream: spelling ok dtucker@
3756 upstream: split method list search functionality from
3772 upstream: sort -H and -h in SYNOPSIS/usage(); tweak the -H text;
3792 remove sys/param.h in -portable, after upstream
3804 upstream: regression test for destination restrictions in ssh-agent
3812 upstream: Make use of ntests variable, pointed out by clang 13.
3820 upstream: sys/param.h cleanup, mostly using MINIMUM() and
3830 upstream: document host-bound publickey authentication
3838 upstream: document agent protocol extensions
3846 upstream: PubkeyAuthentication=yes|no|unbound|host-bound
3862 upstream: document destination-constrained keys
3872 upstream: Use hostkey parsed from hostbound userauth request
3888 upstream: agent support for parsing hostkey-bound signatures
3903 upstream: EXT_INFO negotiation of hostbound pubkey auth
3919 upstream: client side of host-bound pubkey authentication
3937 upstream: sshd side of hostbound public key auth
3950 upstream: prepare for multiple names for authmethods
3971 upstream: ssh-agent side of destination constraints
3990 upstream: ssh-add side of destination constraints
4031 upstream: ssh-add side of destination constraints
4072 upstream: ssh-agent side of binding
4087 upstream: ssh client side of binding
4101 upstream: Record session ID, host key and sig at intital KEX
4113 upstream: better error message for FIDO keys when we can't match
4155 upstream: fix unintended sizeof pointer in debug path ok markus@
4163 upstream: RSA/SHA-1 is not used by default anymore on the server
4171 upstream: hash full host:port when asked to hash output, fixes hashes
4181 upstream: improve the testing of credentials against inserted FIDO
4199 upstream: move check_sk_options() up so we can use it earlier
4207 upstream: ssh-rsa is no longer in the default for
4217 upstream: don't put the tty into raw mode when SessionType=none, avoids
4260 upstream: sshsig: return "key not found" when searching empty files
4270 upstream: ssh-keygen -Y match-principals doesn't accept any -O
4280 upstream: fix indenting in last commit
4288 upstream: missing initialisation for oerrno
4302 upstream: whitespac e
4310 upstream: regression test for match-principals. Mostly by Fabian
4320 upstream: Add ssh-keygen -Y match-principals operation to perform
4335 upstream: debug("func: ...") -> debug_f("...")
4364 upstream: regression test for ssh-keygen -Y find-principals fix; from
4374 upstream: less confusing debug message; bz#3365
4382 upstream: avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we
4393 upstream: ssh-keygen -Y find-principals was verifying key validity
4428 upstream: check for POLLHUP wherever we check for POLLIN
4436 upstream: fd leak in sshd listen loop error path; from Gleb
4446 upstream: check for POLLHUP as well as POLLIN in sshd listen loop;
4456 upstream: check for POLLHUP as well as POLLIN, handle transient IO
4488 upstream: set num_listen_socks to 0 on close-all instead of -1,
4499 upstream: use ppoll() instead of pselect() with djm
4507 upstream: match .events with .fd better
4515 upstream: convert select() to poll() ok djm
4523 upstream: replace select() with ppoll(), including converting
4533 upstream: It really looks like pledge "stdio dns" is possible
4543 upstream: aggressively pre-fill the pollfd array with fd=-1
4551 upstream: Convert from select() to ppoll(). Along the way, I
4571 upstream: add the sntrup761x25519-sha512@openssh.com hybrid
4585 upstream: fix ssh-keysign for KEX algorithms that use SHA384/512
4595 upstream: improve error message when trying to expand a ~user path
4619 upstream: Plug a couple of minor mem leaks. From beldmit at
4629 upstream: move cert_filter_principals() to earlier in the file for
4639 upstream: Many downstreams expect ssh to compile as non-C99...
4663 upstream: crank SSH_SK_VERSION_MAJOR to match recent change in
4673 upstream: Better handle FIDO keys on tokens that provide user
4698 upstream: sshsig: add tests for signing key validity and
4715 upstream: avoid signedness warning; spotted in -portable
4723 upstream: ssh-keygen: make verify-time argument parsing optional
4771 upstream: increment SSH_SK_VERSION_MAJOR to match last change
4779 upstream: When downloading resident keys from a FIDO token, pass
4798 upstream: For open/openat, if the flags parameter does not contain
4829 upstream: Plug mem addrinfo mem leaks.
4841 upstream: Remove unnecessary semicolons
4851 upstream: Fix typos in comments.
4861 upstream: switch scp(1) back to sftp protocol.
4920 upstream: Document that CASignatureAlgorithms, ExposeAuthInfo and
4991 upstream: Dynamically allocate encoded HashKnownHosts and free as
5004 upstream: use libc SHA256 functions; make this work when compiled
5014 upstream: Add test for ssh hashed known_hosts handling.
5064 upstream: Fix up whitespace left by previous
5074 upstream: Remove references to privsep.
5086 upstream: Use "skip" instead of "fatal"
5098 upstream: unbreak FIDO sk-ed25519 key enrollment for OPENSSL=no builds;
5190 upstream: Test certificate hostkeys held in ssh-agent too. Would have
5202 upstream: add some debug output showing how many key file/command lines
5213 upstream: Make prototype for rijndaelEncrypt match function
5224 upstream: Import regenerated moduli.
5249 upstream: openssh-8.8
5257 upstream: need initgroups() before setresgid(); reported by anton@,
5273 upstream: RSA/SHA-1 is not used by default anymore
5308 upstream: fix missing -s in SYNOPSYS and usage() as well as a
5318 upstream: Fix "Allocated port" debug message
5329 upstream: Switch scp back to use the old protocol by default, ahead of
5341 upstream: better error message for ~user failures when the
5351 upstream: make some more scp-in-SFTP mode better match Unix idioms
5361 upstream: allow log_stderr==2 to prefix log messages with argv[0]
5379 upstream: missing space character in ssh -G output broke the
5389 upstream: allow CanonicalizePermittedCNAMEs=none in ssh_config; ok
5399 upstream: put back the mux_ctx memleak fix for SSH_CHANNEL_MUX_CLIENT
5409 upstream: Do not ignore SIGINT while waiting for input if editline(3)
5423 upstream: when using SFTP protocol, continue transferring files after a
5433 upstream: Document that non-interactive commands are run via the user's
5443 upstream: Document behaviour of arguments following non-interactive
5453 upstream: Clarify which file's attributes -p preserves, and that
5464 upstream: openssh-7.4 was incorrectly listed twice; spotted by
5474 upstream: - move CAVEATS to its correct order - use the term
5497 upstream: Use the SFTP protocol by default. The original scp/rcp
5541 upstream: correct my mistake in previous fix; spotted by halex
5549 upstream: avoid NULL deref in -Y find-principals. Report and fix
5562 upstream: revision 1.381 neglected to remove
5594 upstream: Use .Cm instead of .Dq in StrictHostKeyChecking list for
5604 upstream: Mention using ssh -i for specifying the public key file
5615 upstream: Refer to KEX "algorithms" instead of "methods" to match
5626 upstream: Remove redundant attrib_clear in upload_dir_internal.
5637 upstream: Add test for client termination status on signal.
5648 upstream: sys/param.h is not needed for any visible reason
5665 upstream: Fix ssh-rsa fallback for old PuTTY interop tests.
5673 upstream: Add a function to skip remaining tests.
5684 upstream: Specify path to PuTTY keys.
5695 upstream: Better compat tests with old PuTTY.
5715 upstream: Specify hostkeyalgorithms in SSHFP test.
5726 upstream: adapt to RSA/SHA1 deprectation
5734 upstream: After years of forewarning, disable the RSA/SHA-1
5754 upstream: wrap at 80 columns
5790 upstream: openssh-8.7
5908 upstream: mention that CASignatureAlgorithms accepts +/- similarly to
5918 upstream: In the editline(3) branch of the sftp(1) event loop,
5936 upstream: scp: tweak man page and error message for -3 by default
5949 upstream: scp: do not spawn ssh with two -s flags for
5965 upstream: test -Oprint-pubkey
5973 upstream: when verifying sshsig signatures, support an option
5984 upstream: oops, missed one more %p
5992 upstream: remove a bunch of %p in format strings; leftovers of
6013 upstream: adapt to scp -M flag change; make scp3.sh test SFTP mode too
6021 upstream: Prepare for a future where scp(1) uses the SFTP protocol by
6035 upstream: make scp -3 the default for remote-to-remote copies. It
6052 upstream: make scp in SFTP mode try to use relative paths as much
6066 upstream: SFTP protocol extension to allow the server to expand
6080 upstream: when scp is in SFTP mode, try to deal better with ~
6094 upstream: on fatal errors, make scp wait for ssh connection before
6109 upstream: rever r1.223 - I accidentally committed unrelated changes
6117 upstream: show only the final path component in the progress meter;
6128 upstream: on fatal errors, make scp wait for ssh connection before
6140 upstream: xstrdup environment variable used by ForwardAgent. bz#3328
6150 upstream: Although it's POSIX, not all shells used in Portable support
6170 upstream: Move setting of USER further down the startup In portable
6181 upstream: Drop -q in ssh-log-wrapper.sh to preserve logs.
6195 upstream: Fix prototype mismatch for do_cmd. ok djm@
6203 upstream: sftp-client.c needs poll.h
6219 upstream: do_upload() used a near-identical structure for
6233 upstream: make scp(1) in SFTP mode follow symlinks like
6243 upstream: fix incorrect directory permissions on scp -3
6253 upstream: a bit more debugging of file attributes being
6263 upstream: make scp(1) in SFTP mode output better match original
6274 upstream: factor out a structure duplicated between downloading
6284 upstream: use sftp_client crossloading to implement scp -3
6294 upstream: support for "cross"-loading files/directories, i.e.
6306 upstream: factor our SSH2_FXP_OPEN calls into their own function;
6316 upstream: prepare for scp -3 implemented via sftp
6324 upstream: Make diff invocation more portable.
6335 upstream: regression test for scp -3
6343 upstream: Document "ProxyJump none". bz#3334.
6351 upstream: Allow for different (but POSIX compliant) behaviour of
6390 upstream: regression tests for scp SFTP protocol support; mostly by
6400 upstream: Treat doas with arguments as a valid SUDO variable.
6412 upstream: support for using the SFTP protocol for file transfers in
6429 upstream: fix a formatting error and add some Xr; from debian at
6444 upstream: fix a formatting error and mark up known_hosts
6456 upstream: no need to talk about version 2 with the -Q option, so
6469 upstream: word fix; reported by debian at helgefjell de
6477 upstream: standardise the grammar in the options list; issue
6525 upstream: Skip unit and makefile-based key conversion tests when
6535 upstream: Replace OPENSSL as the variable that points to the
6548 upstream: Skip RFC4716 format import and export tests when built
6558 upstream: Don't omit ssh-keygen -y from usage when built without
6568 upstream: Exclude key conversion options from usage when built
6580 Test OpenBSD upstream with and without OpenSSL.
6586 upstream: test for first-match-wins in authorized_keys environment=
6596 upstream: Simplify keygen-convert by using $SSH_KEYTYPES directly.
6604 upstream: don't leak environment= variable when it is not the first
6614 upstream: punctuation;
6622 upstream: mention in comment that read_passphrase(..., RP_ALLOW_STDIN)
6634 upstream: Test conversion of ed25519 and ecdsa keys too.
6642 upstream: Add test for exporting pubkey from a passphrase-protected
6652 upstream: regression test for time-limited signature keys
6660 upstream: note successful authentication method in final "Authenticated
6671 upstream: Add a ForkAfterAuthentication ssh_config(5) counterpart
6682 upstream: Add a StdinNull directive to ssh_config(5) that allows
6693 upstream: make authorized_keys environment="..." directives
6706 upstream: Let allowed signers files used by ssh-keygen(1)
6718 upstream: Use SUDO when setting up hostkey.
6726 upstream: Increase time margin for rekey tests. Should help
6742 upstream: Ensure that all returned SSHFP records for the specified host
6754 upstream: Id sync only, -portable already has this.
6765 upstream: Add test for host key verification via SSHFP records. This
6776 upstream: Add ed25519 key and test SSHFP export of it. Only test
6786 upstream: Group keygen tests together.
6794 upstream: Add test for ssh-keygen printing of SSHFP records.
6802 upstream: wrap some long lines
6810 upstream: fix sftp on ControlPersist connections, broken by recent
6820 upstream: Explicitly check for and start time-based rekeying in the
6836 upstream: reorder SessionType; ok djm
6856 upstream: add a SessionType directive to ssh_config, allowing the
6870 upstream: fix some broken tests; clean up output
6890 upstream: Make limit for time_t test unconditional in the
6902 upstream: Use existing format_absolute_time() function when
6912 upstream: silence redundant error message; reported by Fabian Stelzer
6940 upstream: Fix a couple of whitespace things. Portable already has
6950 upstream: Order includes as per style(9). Portable already has
6960 upstream: Remove comment referencing now-removed
6970 upstream: allow spaces to appear in usernames for local to remote,
6980 upstream: Remove obsolete comments about SSHv1 auth methods. ok
6999 Move signal.h up include order to match upstream.
7016 its removal was missed during an upstream sync.
7022 Remove some whitespace not in upstream.
7062 upstream: Remove references to ChallengeResponseAuthentication in
7102 upstream: fix decoding of X.509 subject name; from Leif Thuresson
7112 upstream: Use better language to refer to the user. From l1ving
7122 upstream: Replace SIGCHLD/notify_pipe kludge with pselect.
7191 upstream: Use $SUDO when reading sshd's pidfile here too.
7199 upstream: Use $SUDO when reading sshd's pidfile in case it was
7209 upstream: Set umask when creating hostkeys to prevent excessive
7219 upstream: Add regress test for SIGHUP restart
7230 upstream: Continue accept loop when pselect
7243 upstream: test that UserKnownHostsFile correctly accepts multiple
7253 upstream: fix regression in r1.356: for ssh_config options that
7264 upstream: test argv_split() optional termination on comments
7272 upstream: Add testcases from bz#3319 for IPQoS and TunnelDevice
7282 upstream: sprinkle some "# comment" at end of configuration lines
7292 upstream: more descriptive failure message
7300 upstream: test AuthenticationMethods inside a Match block as well
7310 upstream: prepare for stricter sshd_config parsing that will refuse
7321 upstream: switch sshd_config parsing to argv_split()
7338 upstream: Switch ssh_config parsing to use argv_split()
7374 upstream: Check if IPQoS or TunnelDevice are already set before
7385 upstream: Allow argv_split() to optionally terminate tokenisation
7401 Save logs on failure for upstream test
7407 Add obsdsnap-i386 upstream test target.
7413 upstream: fix debug message when finding a private key to match a
7425 upstream: Match host certificates against host public keys, not private
7436 upstream: Client-side workaround for a bug in OpenSSH 7.4: this release
7452 upstream: degrade gracefully if a sftp-server offers the
7463 upstream: the limits@openssh.com extension was incorrectly marked
7474 upstream: PROTOCOL.certkeys: update reference from IETF draft to
7528 upstream: The RB_GENERATE_STATIC(3) macro expands to a series of
7539 upstream: rework authorized_keys example section, removing irrelevant
7550 upstream: adjust SetEnv description to clarify $TERM handling
7558 upstream: Switch the listening select loop from select() to
7575 upstream: allow ssh_config SetEnv to override $TERM, which is otherwise
7587 upstream: correct extension name "no-presence-required" =>
7620 upstream: Merge back shell portability changes
7630 upstream: Use a default value for $OPENSSL,
7641 upstream: Find openssl binary via environment variable. This
7652 upstream: fix memleak in test
7660 upstream: also check contents of remaining string
7668 upstream: unit test for misc.c:strdelim() that mostly servces to
7684 upstream: Hash challenge supplied by client during FIDO key enrollment
7718 upstream: fix SEGV in UpdateHostkeys debug() message, triggered
7729 upstream: ssh: The client configuration keyword is
7754 upstream: restore blocking status on stdio fds before close
7784 upstream: fix breakage of -W forwaring introduced in 1.554; reported by
7794 upstream: Regenerate moduli.
7810 upstream: fix previous: test saved no_shell_flag, not the one that just
7820 upstream: Fix ssh started with ControlPersist incorrectly executing a
7831 upstream: Clarify language about moduli. While both ends of the
7843 upstream: include pid in LogVerbose spam
7851 upstream: don't sigdie() in signal handler in privsep child process;
7861 upstream: Increase ConnectionAttempts from 4 to 10 as the tests
7871 upstream: dump out a usable private key string too; inspired by Tyson
7881 upstream: correct mistake in spec - the private key blobs are encoded
7891 upstream: Don't pass NULL as a string in debugging as it does not work
7901 upstream: more debugging for UpdateHostKeys signature failures
7915 upstream: a little debugging in the main mux process for status
7925 upstream: Remove now-unused skey function prototypes leftover from
7955 Add test building upstream OpenBSD source.
8163 upstream: openssh-8.6
8171 upstream: do not pass file/func to monitor; noted by Ilja van Sprundel;
8259 exist upstream. Upgrade the only instance it's used to fail()
8276 upstream: Add TEST_SSH_ELAPSED_TIMES environment variable to print the
8305 upstream: include "ssherr.h" not <ssherr.h>; from Balu Gajjala via
8327 upstream: Don't check return value of unsetenv(). It's part of the
8339 upstream: remove stray inserts; from matthias schmidt
8347 upstream: missing comma; from kawashima james
8370 upstream: typos in comments; GHPR#180 from Vill
8383 upstream: sync CASignatureAlgorithms lists with reality. GHPR#174 from
8399 upstream: highly polished whitespace, mostly fixing spaces-for-tab
8409 upstream: whitespace (tab after space)
8423 upstream: fix incorrect plural; from Ville Skyt
8436 upstream: ensure that pkcs11_del_provider() is called before exit -
8449 upstream: unused variable
8457 upstream: Fix two problems in string->argv conversion: 1) multiple
8481 upstream: cannot effectively test posix-rename extension after
8491 upstream: add a test for misc.c:argv_split(), currently fails
8499 upstream: split
8507 upstream: Use new limits@openssh.com protocol extension to let the
8524 upstream: do not advertise protocol extensions that have been
8540 upstream: return non-zero exit status when killed by signal; bz#3281 ok
8550 upstream: increase maximum SSH2_FXP_READ to match the maximum
8562 upstream: don't let logging clobber errno before use
8598 upstream: spelling
8606 upstream: Add ModuliFile keyword to sshd_config to specify the
8618 upstream: pwcopy() struct passwd that we're going to reuse across a
8628 upstream: Import regenerated moduli file.
8636 upstream: no need to reset buffer after send_msg() as that is done
8646 upstream: Add TEST_SSH_MODULI_FILE variable to allow overriding of the
8681 upstream: Fix PRINT macro, the suffix param to sshlog() was missing.
8692 upstream: don't sshbuf_get_u32() into an enum; reported by goetze
8702 upstream: typo in other_hostkeys_message() display output, ok djm
8710 upstream: needs FILE*; from Mike Frysinger
8736 upstream: openssh-8.5
8750 upstream: Add %k to list of keywords. From
8763 upstream: Do not try to reset signal handler for signal 0 in
8773 upstream: fix alphabetic ordering of options; spotted by Iain Morgan
8824 upstream: remove this KEX fuzzer; it's awkward to use and doesn't play
8844 upstream: a bit more debugging behind #ifdef DEBUG_SK
8899 upstream: s/PubkeyAcceptedKeyTypes/PubkeyAcceptedAlgorithms/
8907 upstream: Rename pubkeyacceptedkeytypes to pubkeyacceptedalgorithms in
8917 upstream: Put obsolete aliases for hostbasedalgorithms and
8928 upstream: lots more s/key types/signature algorithms/ mostly in
8938 upstream: Correct reference to signature algorithms as keys; from
8965 upstream: warn when the user specifies a ForwardAgent path that does
9048 upstream: Fix the hostkeys rotation extension documentation
9061 upstream: make names in function prototypes match those in
9072 upstream: unbreak SK_DEBUG builds
9083 upstream: sftp-server: implement limits@openssh.com extension
9243 upstream: Make sure puttygen is new enough to successfully run the
9253 upstream: ssh: add PermitRemoteOpen for remote dynamic forwarding
9263 upstream: factor out opt_array_append; ok djm@
9271 upstream: ProxyJump takes "none" to disable processing like
9283 upstream: sftp: add missing lsetstat@openssh.com documentation
9293 upstream: factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own
9322 upstream: Roll back the hostname->uname change in rev 1.10. It turns
9334 upstream: hostname is not specified by POSIX but uname -n is, so use
9358 upstream: Remove debug message from sigchld handler. While this
9369 upstream: whitespace
9377 upstream: fix memleaks in private key deserialisation; enforce more
9388 upstream: memleak on error path; ok markus@
9396 upstream: more strictly enforce KEX state-machine by banning packet
9410 upstream: Set linesize returned by getline to zero when freeing and
9459 upstream: add a SK_DUMMY_INTEGRATE define that allows the dummy
9470 upstream: fix the values of enum sock_type
9478 upstream: give typedef'd struct a struct name; makes the fuzzer I'm
9518 upstream: fix leak: was double allocating kex->session_id buffer
9532 upstream: this needs kex.h now
9540 upstream: make ssh->kex->session_id a sshbuf instead of u_char*/size_t
9551 upstream: remove global variable used to stash compat flags and use the
9575 upstream: Logical not bitwise or. ok djm@
9583 upstream: move HostbasedAcceptedAlgorithms to the right place in
9593 upstream: Remove unused variables leftover from refactoring. ok
9603 upstream: Rename HostbasedKeyTypes (ssh) and
9631 upstream: refactor key constraint parsing in ssh-agent
9647 upstream: more ssh-agent refactoring
9663 upstream: make struct hostkeys public; I have no idea why I made it
9675 upstream: move check_host_cert() from sshconnect,c to sshkey.c and
9687 upstream: use recallocarray to allocate the agent sockets table;
9702 upstream: factor out common code in the agent client
9716 upstream: make ssh hostbased authentication send the signature
9739 upstream: Fix long->int for convtime tests here too. Spotted by
9749 upstream: PubkeyAcceptedKeyTypes->PubkeyAcceptedAlgorithms
9759 upstream: Rename PubkeyAcceptedKeyTypes keyword to
9773 upstream: Change types in convtime() unit test to int to match change
9784 upstream: Make output buffer larger to prevent potential truncation
9795 upstream: Change types in convtime() unit test to int to match
9806 upstream: In waitfd(), when poll returns early we are subtracting
9818 upstream: Minor grammatical correction.
9846 upstream: Correct spelling of persourcenetblocksize in config-dump
9856 upstream: Adjust kexfuzz to addr.c/addrmatch.c split.
9864 upstream: Update unittests for addr.c/addrmatch.c split.
9872 upstream: Change convtime() from returning long to returning int.
9884 upstream: add a comma to previous;
9892 upstream: Add PerSourceMaxStartups and PerSourceNetBlockSize
9903 upstream: Move address handling functions out into their own file
9921 upstream: make CheckHostIP default to 'no'. It doesn't provide any
9946 upstream: If a signature operation on a FIDO key fails with a
9965 upstream: don't try to use timespeccmp(3) directly as a qsort(3)
9979 upstream: Update the sntrup761 creation script and generated code:
9995 upstream: mention that DisableForwarding is valid in a sshd_config
10005 upstream: estructure sntrup761.sh to process all files in a single
10016 upstream: Prevent redefinition of `crypto_int32' error with gcc3.
10044 upstream: Use int64_t for intermediate values in int32_MINMAX to
10063 upstream: Adapt to replacement of
10076 upstream: Update/replace the experimental post-quantim hybrid key
10100 upstream: tweak the description of KnownHostsCommand in ssh_conf.5,
10144 upstream: more detail for failing tests
10152 upstream: regress test for KnownHostsCommand
10160 upstream: Remove lines accidentally left behind in the ProxyJump
10172 upstream: add a ssh_config KnownHostsCommand that allows the client
10189 upstream: move subprocess() from auth.c to misc.c
10205 upstream: Remove explicit rijndael-cbc@lysator.liu.se test since the
10215 upstream: Remove the pre-standardization cipher
10230 upstream: properly fix ProxyJump parsing; Thanks to tb@ for
10243 upstream: adapt to API change in hostkeys_foreach()/load_hostkeys()
10251 upstream: few more things needs match.c and addrmatch.c now that
10267 upstream: plumb ssh_conn_info through to sshconnect.c; feedback/ok
10277 upstream: allow UserKnownHostsFile=none; feedback and ok markus@
10285 upstream: load_hostkeys()/hostkeys_foreach() variants for FILE*
10306 upstream: Print client kem key with correct length.
10316 upstream: fix possible error("%s", NULL) on error paths
10324 upstream: refactor client percent_expand() argument passing;
10335 upstream: prepare readconf.c for fuzzing; remove fatal calls and
10345 upstream: use _PATH_SSH_USER_DIR instead of hardcoded .ssh in path
10365 upstream: shuffle a few utility functions into sftp-client.c; from
10375 upstream: make ssh_free(NULL) a no-op
10383 upstream: memleak of DH public bignum; found with libfuzzer
10391 upstream: fix minor memleak of kex->hostkey_alg on rekex
10399 upstream: typos: s/hex/kex/ in error messages
10407 upstream: make program name be const
10415 upstream: Ignore comments at the end of config lines in ssh_config,
10425 upstream: Include cipher.h for declaration of cipher_by_name.
10433 upstream: check result of strchr() against NULL rather than
10443 upstream: Document ssh-keygen -Z, sanity check its argument earlier and
10454 upstream: Set the specified TOS/DSCP for interactive use prior to
10469 upstream: clean up passing of struct passwd from monitor to preauth
10482 upstream: when loading PKCS#11 keys, include the key fingerprints
10492 upstream: when mentioning that the host key has changed, don't
10521 upstream: When doing an sftp recursive upload or download of a
10543 upstream: Explicitly initialize all members of the
10556 upstream: draft-ietf-secsh-architecture is now RFC4251.
10564 upstream: Specify that the KDF function is bcrypt. Based on github
10574 upstream: revert r1.341; it breaks ProxyJump; reported by sthen@
10582 upstream: scrub keyboard-interactive authentication prompts coming
10593 upstream: prefix keyboard interactive prompts with (user@host) to
10641 upstream: when prompting the user to accept a new hostkey, display
10663 upstream: Prevent integer overflow when ridiculously large
10674 upstream: fix logic error that broke URI parsing in ProxyJump
10684 upstream: Free the previously allocated msg buffer after writing it
10710 upstream: unbreak; missing NULL check
10718 upstream: when requesting a security key touch on stderr, inform the
10738 upstream: Add a comment documenting the source of the moduli group
10748 upstream: Replace WITH_OPENSSL ifdefs in log calls with a macro.
10802 upstream: fold consecutive '*' wildcards to mitigate combinatorial
10812 upstream: print reason in fatal error message when
10822 upstream: fix sshd_config SetEnv directive inside Match blocks; part of
10832 upstream: fix type of nid in type_bits_valid(); github PR#202 from
10842 upstream: whitespace; no code change
10850 upstream: UpdateHostkeys: fixed/better detection of host keys that
10863 Follow upstream (6d755706a0059eb9e2d63517f288b75cbc3b4701) language
10881 upstream: Minor man page fixes (capitalization, commas) identified by
10891 upstream: Adapt XMSS to new logging infrastructure. With markus@, ok
10901 upstream: fix SEGV on fatal() errors spotted by dtucker@
10917 upstream: use the new variant log macros instead of prepending
10927 upstream: variants of the log methods that append a ssherr.h string
10937 upstream: remove a level of macro indirection; ok markus@
10945 upstream: add some variant log.h calls that prepend the calling
10967 upstream: make the log functions that exit (sshlogdie(),
10978 upstream: add space between macro arg and punctuation;
11012 upstream: LogVerbose keyword for ssh and sshd
11025 upstream: revised log infrastructure for OpenSSH
11038 upstream: use do_log2 instead of function pointers to different log
11048 upstream: make UpdateHostkeys still more conservative: refuse to
11063 upstream: Zap unused family parameter from ssh_connect_direct()
11130 upstream: UpdateHostkeys: check for keys under other names
11149 upstream: UpdateHostkeys: better CheckHostIP handling
11167 upstream: UpdateHostkeys: better detect manual host entries
11181 upstream: don't misdetect comma-separated hostkey names as wildcards;
11197 upstream: clarify conditions for UpdateHostkeys
11205 upstream: remove GlobalKnownHostsFile for this test after
11215 upstream: Disable UpdateHostkeys when hostkey checking fails
11229 upstream: Fix UpdateHostkeys/HashKnownHosts/CheckHostIP bug
11243 upstream: don't UpdateHostkeys when the hostkey is verified by the
11255 upstream: revert kex->flags cert hostkey downgrade back to a plain
11268 upstream: simply disable UpdateHostkeys when a certificate
11281 upstream: disable UpdateHostkeys by default if VerifyHostKeyDNS is
11291 upstream: Agent protocol draft is now at rev 4. ok djm@
11299 upstream: when ordering host key algorithms in the client, consider
11309 upstream: Allow full range of UIDs and GIDs for sftp chown and