Port 10.1 18.7.1 #139
Open
Port 10.1 18.7.1 #139
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
OpenBSD-Commit-ID: 747219d54565030ff7c45298b9f5e971801f6cb2
OpenBSD-Commit-ID: 963dba2c804e2fd8efea2256092899874d0dbc7b
OpenBSD-Commit-ID: 6e96814bcf70d0edbb0749ec61cc4fd8707f286d
key fingerprint and algorithm (not just algorithm number) as well as making it explicit which keys didn't load. OpenBSD-Commit-ID: ee3e77a0271ab502e653922c6d161b1e091f8fee
parsing pass (unless hostname canonicalisation or a separate "Match final" does). bz3843 ok dtucker@ OpenBSD-Commit-ID: ce82b6034828888f0f3f1c812e08f5e87400d802
OpenBSD-Regress-ID: 6e30094e3bf0a1c65efb75c67a87093304a3e619
so does not run by default. OpenBSD-Regress-ID: d5ded47a266b031fc91f99882f07161ab6d1bb70
OpenBSD-Regress-ID: 7abe1f6607d0cd49839918aade8f135d2462d389
Now that we want to actually use the random password for tests, we need to correctly encrypt it, instead of just setting it to a random string that's not the "locked" value.
Dropbear added the '-D' flag in version 2025.87. We need that for the dropbear-server test, so skip on older versions. OpenBSD-Regress-ID: 9db0b84edd54d3c00ab17db1dc6d62af4644c550
some platforms (musl, probably others). OpenBSD-Regress-ID: 35cdeed12ae701afcb812f800c04d817325cd22a
This allows skipping/overriding the OSSH_CHECK_CFLAG_COMPILE and OSSH_CHECK_CFLAG_LINK macros used to discover supported compiler or linker flags. E.g. $ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no [...] checking if cc supports compile flag -ftrapv and linking succeeds... yes checking if cc supports compile flag -fzero-call-used-regs=used and linking succeeds... (cached) no checking if cc supports compile flag -ftrivial-auto-var-init=zero... yes Patch from Colin Watson, ok dtucker@
cancellation channel_cancel_lport_listener() returns 1 on success and 0 on failure. The previous code incorrectly checked for `== -1`, a value the function never returns, so failure was not detected and the "port not found" error message was never shown when cancelling dynamic or local port forwards. From: Boris Tonofa <[email protected]> OpenBSD-Commit-ID: 3e9d2252a4d0bd318d4f25e2b518afb44acea170
maximum message size of 256KB. Some people apparently have configurations larger than this and would hit this limit. Worse, there was no good logging that could help diagnose what was going wrong. So this bumps the maximum message size to 4MB and implements an early check (usable via the sshd -t test mode) that will report it to the user where it is hopefully more visible. bz3808, reported by Dmitry Belyavskiy, ok dtucker@ OpenBSD-Commit-ID: 69c303fb68cbd1a4735936835d67a71e7b57f63b
mostly by Dmitry Belyavskiy OpenBSD-Regress-ID: fcedb249e4cf2447e078a839877f99730ee79024
Patch from dbelyavs at redhat.com via bz#3846.
situations. At worst, this can cause all MaxStartups slots to fill and sshd to refuse new connections. Diagnosis by xnor; ok dtucker@ OpenBSD-Commit-ID: 10273033055552557196730f898ed6308b36a78d
OpenBSD-Regress-ID: 7ff58e6f0eb21eb9064dd0cfa78c3b6f34b5f713
Apparently getgrouplist() can fail on OSX for when passed a non-existent group name. Other platforms seem to return a group list consisting of the numeric gid passed to the function. This makes ga_init() handle this failure case gracefully, where it will return success but with an empty group list array. bz3848; ok dtucker@
GTK 3 has been in maintenance mode for a while now, and it is on the road to being abandoned. As a result, the dialogue looks out of place on modern systems. We could port it to GTK 4 but without the program being registered as an application (i.e. having a .desktop file), GNOME Shell would ask for permission to grab input every time. Let’s instead use the GNOME Shell’s native prompt through the unstable Gcr API.
DPADD. ok tb@ deraadt@ OpenBSD-Commit-ID: a05e13a7e2c0b65bb4b47184fef731243431c6ff
encountered while processing an active section in a configuration file,
terminates ssh(1) with an error message that contains the argument to the
option.
This may be useful for expressing reminders or warnings in config
files, for example:
Match host foo
RefuseConnection "foo is deprecated, use splork instead"
ok djg
OpenBSD-Commit-ID: 5b0072fcd08ad3932ab21e27bbaa66b008d44237
If needed it can be set in github if needed.
OpenBSD-Commit-ID: 2a232c2d2fc05a23519f69bc29e6d8c076b97d97
has a tty attached as this causes side effects, e.g. in channel_handle_rfd(). bz3872 ok markus@ OpenBSD-Commit-ID: 4cd8a9f641498ca6089442e59bad0fd3dcbe85f8
This fixes the build on macOS prior to 10.12 Sierra, since it does not have it. Found and tested by Sevan Janiyan.
Some github runners (notably macos-14) seem to have host keys where public and private do not match, so generate our own keys for testing purposes.
When using sshd's -i option with stdio that is not a AF_INET/AF_INET6 socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then set as the value of PAM_RHOST, causing pam to try to do a reverse DNS query of "UNKNOWN", which times out multiple times, causing a substantial slowdown when logging in. To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN".
From FreeBSD via bz#3874: "This was previously included due to nested includes in Heimdal's headers. Without this, the build fails with an error due to redefining AT_FDCWD."
Based on Github PR#597 from Mike Frysinger, any bugs added by me.
Fixes from Mike Frysinger via Github PR#597.
Should unbreak --disable-pkcs11 builds
1. Use the ssh-keygen under test and not the one in $PATH 2. Include a test PKCS#11 operation to ensure that the P11 stack is working correctly. Previously, it was possible for p11_setup to return success on configurations with PKCS#11 support disabled.
Matches what OpenBSD does and fixes ssh-keygen regression in certifying keys using a CA key hosted via ssh-agent (bz3877)
multiple keys loaded. ok markus deraadt dtucker OpenBSD-Commit-ID: baa9763ec69d162108dafd962792ec5610ff45c9
The only change since 10.1 is the channels.c fix OpenBSD-Commit-ID: 5eebeb0db14c694efd4ee96b5f16112e3e5d5ba9
No conflicts in the code. Only conflict is in the Changelog. I'll force this commit and then rebuild the Changelog with our log data.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a huge diff. I would ignore anything in openbsd-compat to start with. There are also changes in .github for the CI system. I'll haven't modified those as of yet but I don't think it's a huge issue. git log --remerge-diff is probably going to be helpful to identify changes I made versus changes that upstream made. I'd really just focus on the .c and .h files at this time.