#
1.44 |
|
06-Apr-2023 |
djm |
match_user() shouldn't be called with user==NULL unless host and ipaddr are also NULL
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE OPENBSD_7_1_BASE OPENBSD_7_2_BASE OPENBSD_7_3_BASE
|
#
1.43 |
|
03-Nov-2020 |
djm |
fold consecutive '*' wildcards to mitigate combinatorial explosion of recursive searches; ok dtucker
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.42 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.41 |
|
13-Nov-2019 |
deraadt |
stdarg.h required more broadly; ok djm
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.40 |
|
04-Oct-2019 |
djm |
space
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.39 |
|
06-Mar-2019 |
dtucker |
Move checks for lists of users or groups into their own function. This is a no-op on OpenBSD but will make things easier in -portable, eg on systems where these checks should be case-insensitive. ok djm@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.38 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.37 |
|
10-Mar-2017 |
djm |
make hostname matching really insensitive to case; bz#2685, reported by Petr Cerny; ok dtucker@
|
#
1.36 |
|
10-Mar-2017 |
djm |
reword a comment to make it fit 80 columns
|
#
1.35 |
|
15-Feb-2017 |
jsg |
Fix memory leaks in match_filter_list() error paths.
ok dtucker@ markus@
|
#
1.34 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.33 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.32 |
|
21-Sep-2016 |
djm |
Revert two recent changes to negated address matching. The new behaviour offers unintuitive surprises. We'll find a better way to deal with single negated matches.
match.c 1.31: > fix matching for pattern lists that contain a single negated match, > e.g. "Host !example" > > report and patch from Robin Becker. bz#1918 ok dtucker@
addrmatch.c 1.11: > fix negated address matching where the address list consists of a > single negated match, e.g. "Match addr !192.20.0.1" > > Report and patch from Jakub Jelen. bz#2397 ok dtucker@
|
#
1.31 |
|
23-Aug-2016 |
djm |
fix matching for pattern lists that contain a single negated match, e.g. "Host !example"
report and patch from Robin Becker. bz#1918 ok dtucker@
|
Revision tags: OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.29 |
|
20-Nov-2013 |
deraadt |
unsigned casts for ctype macros where neccessary ok guenther millert markus
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.28 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.27 |
|
10-Jun-2008 |
djm |
support CIDR address matching in .ssh/authorized_keys from="..." stanzas
ok and extensive testing dtucker@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.26 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.25 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.24 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.23 |
|
20-Mar-2006 |
deraadt |
be strict with tolower() casting
|
#
1.22 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.21 |
|
22-Feb-2006 |
stevesk |
branches: 1.21.2; move #include <ctype.h> out of includes.h; ok djm@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.20 |
|
17-Jun-2005 |
djm |
branches: 1.20.2; make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.19 |
|
01-Mar-2002 |
markus |
branches: 1.19.12; 1.19.14; undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.18 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.17 |
|
11-Feb-2002 |
markus |
support up to 40 algorithms per proposal
|
#
1.16 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.15 |
|
05-Dec-2001 |
markus |
make theo and djm happy: bye bye regexp
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.14 |
|
27-Jun-2001 |
markus |
branches: 1.14.2; tridge@samba.org
|
#
1.13 |
|
24-Jun-2001 |
markus |
move ip+hostname check to match.c
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.12 |
|
10-Mar-2001 |
markus |
branches: 1.12.2; add PreferredAuthentications
|
#
1.11 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.10 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
branches: 1.9.2; cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
06-Jun-2000 |
markus |
fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
14-Apr-2000 |
markus |
branches: 1.6.2; whitespace cleanup
|
#
1.5 |
|
23-Mar-2000 |
markus |
initial support for DSA keys. ok deraadt@, niels@
|
#
1.4 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.3 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.2 |
|
23-Nov-1999 |
markus |
KNF part 1
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.43 |
|
03-Nov-2020 |
djm |
fold consecutive '*' wildcards to mitigate combinatorial explosion of recursive searches; ok dtucker
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.42 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.41 |
|
13-Nov-2019 |
deraadt |
stdarg.h required more broadly; ok djm
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.40 |
|
04-Oct-2019 |
djm |
space
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.39 |
|
06-Mar-2019 |
dtucker |
Move checks for lists of users or groups into their own function. This is a no-op on OpenBSD but will make things easier in -portable, eg on systems where these checks should be case-insensitive. ok djm@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.38 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.37 |
|
10-Mar-2017 |
djm |
make hostname matching really insensitive to case; bz#2685, reported by Petr Cerny; ok dtucker@
|
#
1.36 |
|
10-Mar-2017 |
djm |
reword a comment to make it fit 80 columns
|
#
1.35 |
|
15-Feb-2017 |
jsg |
Fix memory leaks in match_filter_list() error paths.
ok dtucker@ markus@
|
#
1.34 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.33 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.32 |
|
21-Sep-2016 |
djm |
Revert two recent changes to negated address matching. The new behaviour offers unintuitive surprises. We'll find a better way to deal with single negated matches.
match.c 1.31: > fix matching for pattern lists that contain a single negated match, > e.g. "Host !example" > > report and patch from Robin Becker. bz#1918 ok dtucker@
addrmatch.c 1.11: > fix negated address matching where the address list consists of a > single negated match, e.g. "Match addr !192.20.0.1" > > Report and patch from Jakub Jelen. bz#2397 ok dtucker@
|
#
1.31 |
|
23-Aug-2016 |
djm |
fix matching for pattern lists that contain a single negated match, e.g. "Host !example"
report and patch from Robin Becker. bz#1918 ok dtucker@
|
Revision tags: OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.29 |
|
20-Nov-2013 |
deraadt |
unsigned casts for ctype macros where neccessary ok guenther millert markus
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.28 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.27 |
|
10-Jun-2008 |
djm |
support CIDR address matching in .ssh/authorized_keys from="..." stanzas
ok and extensive testing dtucker@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.26 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.25 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.24 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.23 |
|
20-Mar-2006 |
deraadt |
be strict with tolower() casting
|
#
1.22 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.21 |
|
22-Feb-2006 |
stevesk |
branches: 1.21.2; move #include <ctype.h> out of includes.h; ok djm@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.20 |
|
17-Jun-2005 |
djm |
branches: 1.20.2; make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.19 |
|
01-Mar-2002 |
markus |
branches: 1.19.12; 1.19.14; undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.18 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.17 |
|
11-Feb-2002 |
markus |
support up to 40 algorithms per proposal
|
#
1.16 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.15 |
|
05-Dec-2001 |
markus |
make theo and djm happy: bye bye regexp
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.14 |
|
27-Jun-2001 |
markus |
branches: 1.14.2; tridge@samba.org
|
#
1.13 |
|
24-Jun-2001 |
markus |
move ip+hostname check to match.c
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.12 |
|
10-Mar-2001 |
markus |
branches: 1.12.2; add PreferredAuthentications
|
#
1.11 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.10 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
branches: 1.9.2; cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
06-Jun-2000 |
markus |
fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
14-Apr-2000 |
markus |
branches: 1.6.2; whitespace cleanup
|
#
1.5 |
|
23-Mar-2000 |
markus |
initial support for DSA keys. ok deraadt@, niels@
|
#
1.4 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.3 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.2 |
|
23-Nov-1999 |
markus |
KNF part 1
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.42 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.41 |
|
13-Nov-2019 |
deraadt |
stdarg.h required more broadly; ok djm
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.40 |
|
04-Oct-2019 |
djm |
space
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.39 |
|
06-Mar-2019 |
dtucker |
Move checks for lists of users or groups into their own function. This is a no-op on OpenBSD but will make things easier in -portable, eg on systems where these checks should be case-insensitive. ok djm@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.38 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.37 |
|
10-Mar-2017 |
djm |
make hostname matching really insensitive to case; bz#2685, reported by Petr Cerny; ok dtucker@
|
#
1.36 |
|
10-Mar-2017 |
djm |
reword a comment to make it fit 80 columns
|
#
1.35 |
|
15-Feb-2017 |
jsg |
Fix memory leaks in match_filter_list() error paths.
ok dtucker@ markus@
|
#
1.34 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.33 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.32 |
|
21-Sep-2016 |
djm |
Revert two recent changes to negated address matching. The new behaviour offers unintuitive surprises. We'll find a better way to deal with single negated matches.
match.c 1.31: > fix matching for pattern lists that contain a single negated match, > e.g. "Host !example" > > report and patch from Robin Becker. bz#1918 ok dtucker@
addrmatch.c 1.11: > fix negated address matching where the address list consists of a > single negated match, e.g. "Match addr !192.20.0.1" > > Report and patch from Jakub Jelen. bz#2397 ok dtucker@
|
#
1.31 |
|
23-Aug-2016 |
djm |
fix matching for pattern lists that contain a single negated match, e.g. "Host !example"
report and patch from Robin Becker. bz#1918 ok dtucker@
|
Revision tags: OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.29 |
|
20-Nov-2013 |
deraadt |
unsigned casts for ctype macros where neccessary ok guenther millert markus
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.28 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.27 |
|
10-Jun-2008 |
djm |
support CIDR address matching in .ssh/authorized_keys from="..." stanzas
ok and extensive testing dtucker@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.26 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.25 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.24 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.23 |
|
20-Mar-2006 |
deraadt |
be strict with tolower() casting
|
#
1.22 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.21 |
|
22-Feb-2006 |
stevesk |
branches: 1.21.2; move #include <ctype.h> out of includes.h; ok djm@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.20 |
|
17-Jun-2005 |
djm |
branches: 1.20.2; make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.19 |
|
01-Mar-2002 |
markus |
branches: 1.19.12; 1.19.14; undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.18 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.17 |
|
11-Feb-2002 |
markus |
support up to 40 algorithms per proposal
|
#
1.16 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.15 |
|
05-Dec-2001 |
markus |
make theo and djm happy: bye bye regexp
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.14 |
|
27-Jun-2001 |
markus |
branches: 1.14.2; tridge@samba.org
|
#
1.13 |
|
24-Jun-2001 |
markus |
move ip+hostname check to match.c
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.12 |
|
10-Mar-2001 |
markus |
branches: 1.12.2; add PreferredAuthentications
|
#
1.11 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.10 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
branches: 1.9.2; cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
06-Jun-2000 |
markus |
fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
14-Apr-2000 |
markus |
branches: 1.6.2; whitespace cleanup
|
#
1.5 |
|
23-Mar-2000 |
markus |
initial support for DSA keys. ok deraadt@, niels@
|
#
1.4 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.3 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.2 |
|
23-Nov-1999 |
markus |
KNF part 1
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.41 |
|
13-Nov-2019 |
deraadt |
stdarg.h required more broadly; ok djm
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.40 |
|
04-Oct-2019 |
djm |
space
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.39 |
|
06-Mar-2019 |
dtucker |
Move checks for lists of users or groups into their own function. This is a no-op on OpenBSD but will make things easier in -portable, eg on systems where these checks should be case-insensitive. ok djm@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.38 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.37 |
|
10-Mar-2017 |
djm |
make hostname matching really insensitive to case; bz#2685, reported by Petr Cerny; ok dtucker@
|
#
1.36 |
|
10-Mar-2017 |
djm |
reword a comment to make it fit 80 columns
|
#
1.35 |
|
15-Feb-2017 |
jsg |
Fix memory leaks in match_filter_list() error paths.
ok dtucker@ markus@
|
#
1.34 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.33 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.32 |
|
21-Sep-2016 |
djm |
Revert two recent changes to negated address matching. The new behaviour offers unintuitive surprises. We'll find a better way to deal with single negated matches.
match.c 1.31: > fix matching for pattern lists that contain a single negated match, > e.g. "Host !example" > > report and patch from Robin Becker. bz#1918 ok dtucker@
addrmatch.c 1.11: > fix negated address matching where the address list consists of a > single negated match, e.g. "Match addr !192.20.0.1" > > Report and patch from Jakub Jelen. bz#2397 ok dtucker@
|
#
1.31 |
|
23-Aug-2016 |
djm |
fix matching for pattern lists that contain a single negated match, e.g. "Host !example"
report and patch from Robin Becker. bz#1918 ok dtucker@
|
Revision tags: OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.29 |
|
20-Nov-2013 |
deraadt |
unsigned casts for ctype macros where neccessary ok guenther millert markus
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.28 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.27 |
|
10-Jun-2008 |
djm |
support CIDR address matching in .ssh/authorized_keys from="..." stanzas
ok and extensive testing dtucker@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.26 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.25 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.24 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.23 |
|
20-Mar-2006 |
deraadt |
be strict with tolower() casting
|
#
1.22 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.21 |
|
22-Feb-2006 |
stevesk |
branches: 1.21.2; move #include <ctype.h> out of includes.h; ok djm@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.20 |
|
17-Jun-2005 |
djm |
branches: 1.20.2; make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.19 |
|
01-Mar-2002 |
markus |
branches: 1.19.12; 1.19.14; undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.18 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.17 |
|
11-Feb-2002 |
markus |
support up to 40 algorithms per proposal
|
#
1.16 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.15 |
|
05-Dec-2001 |
markus |
make theo and djm happy: bye bye regexp
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.14 |
|
27-Jun-2001 |
markus |
branches: 1.14.2; tridge@samba.org
|
#
1.13 |
|
24-Jun-2001 |
markus |
move ip+hostname check to match.c
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.12 |
|
10-Mar-2001 |
markus |
branches: 1.12.2; add PreferredAuthentications
|
#
1.11 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.10 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
branches: 1.9.2; cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
06-Jun-2000 |
markus |
fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
14-Apr-2000 |
markus |
branches: 1.6.2; whitespace cleanup
|
#
1.5 |
|
23-Mar-2000 |
markus |
initial support for DSA keys. ok deraadt@, niels@
|
#
1.4 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.3 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.2 |
|
23-Nov-1999 |
markus |
KNF part 1
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.40 |
|
04-Oct-2019 |
djm |
space
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.39 |
|
06-Mar-2019 |
dtucker |
Move checks for lists of users or groups into their own function. This is a no-op on OpenBSD but will make things easier in -portable, eg on systems where these checks should be case-insensitive. ok djm@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.38 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.37 |
|
10-Mar-2017 |
djm |
make hostname matching really insensitive to case; bz#2685, reported by Petr Cerny; ok dtucker@
|
#
1.36 |
|
10-Mar-2017 |
djm |
reword a comment to make it fit 80 columns
|
#
1.35 |
|
15-Feb-2017 |
jsg |
Fix memory leaks in match_filter_list() error paths.
ok dtucker@ markus@
|
#
1.34 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.33 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.32 |
|
21-Sep-2016 |
djm |
Revert two recent changes to negated address matching. The new behaviour offers unintuitive surprises. We'll find a better way to deal with single negated matches.
match.c 1.31: > fix matching for pattern lists that contain a single negated match, > e.g. "Host !example" > > report and patch from Robin Becker. bz#1918 ok dtucker@
addrmatch.c 1.11: > fix negated address matching where the address list consists of a > single negated match, e.g. "Match addr !192.20.0.1" > > Report and patch from Jakub Jelen. bz#2397 ok dtucker@
|
#
1.31 |
|
23-Aug-2016 |
djm |
fix matching for pattern lists that contain a single negated match, e.g. "Host !example"
report and patch from Robin Becker. bz#1918 ok dtucker@
|
Revision tags: OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.29 |
|
20-Nov-2013 |
deraadt |
unsigned casts for ctype macros where neccessary ok guenther millert markus
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.28 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.27 |
|
10-Jun-2008 |
djm |
support CIDR address matching in .ssh/authorized_keys from="..." stanzas
ok and extensive testing dtucker@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.26 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.25 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.24 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.23 |
|
20-Mar-2006 |
deraadt |
be strict with tolower() casting
|
#
1.22 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.21 |
|
22-Feb-2006 |
stevesk |
branches: 1.21.2; move #include <ctype.h> out of includes.h; ok djm@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.20 |
|
17-Jun-2005 |
djm |
branches: 1.20.2; make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.19 |
|
01-Mar-2002 |
markus |
branches: 1.19.12; 1.19.14; undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.18 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.17 |
|
11-Feb-2002 |
markus |
support up to 40 algorithms per proposal
|
#
1.16 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.15 |
|
05-Dec-2001 |
markus |
make theo and djm happy: bye bye regexp
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.14 |
|
27-Jun-2001 |
markus |
branches: 1.14.2; tridge@samba.org
|
#
1.13 |
|
24-Jun-2001 |
markus |
move ip+hostname check to match.c
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.12 |
|
10-Mar-2001 |
markus |
branches: 1.12.2; add PreferredAuthentications
|
#
1.11 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.10 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
branches: 1.9.2; cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
06-Jun-2000 |
markus |
fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
14-Apr-2000 |
markus |
branches: 1.6.2; whitespace cleanup
|
#
1.5 |
|
23-Mar-2000 |
markus |
initial support for DSA keys. ok deraadt@, niels@
|
#
1.4 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.3 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.2 |
|
23-Nov-1999 |
markus |
KNF part 1
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.39 |
|
06-Mar-2019 |
dtucker |
Move checks for lists of users or groups into their own function. This is a no-op on OpenBSD but will make things easier in -portable, eg on systems where these checks should be case-insensitive. ok djm@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.38 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.37 |
|
10-Mar-2017 |
djm |
make hostname matching really insensitive to case; bz#2685, reported by Petr Cerny; ok dtucker@
|
#
1.36 |
|
10-Mar-2017 |
djm |
reword a comment to make it fit 80 columns
|
#
1.35 |
|
15-Feb-2017 |
jsg |
Fix memory leaks in match_filter_list() error paths.
ok dtucker@ markus@
|
#
1.34 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.33 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.32 |
|
21-Sep-2016 |
djm |
Revert two recent changes to negated address matching. The new behaviour offers unintuitive surprises. We'll find a better way to deal with single negated matches.
match.c 1.31: > fix matching for pattern lists that contain a single negated match, > e.g. "Host !example" > > report and patch from Robin Becker. bz#1918 ok dtucker@
addrmatch.c 1.11: > fix negated address matching where the address list consists of a > single negated match, e.g. "Match addr !192.20.0.1" > > Report and patch from Jakub Jelen. bz#2397 ok dtucker@
|
#
1.31 |
|
23-Aug-2016 |
djm |
fix matching for pattern lists that contain a single negated match, e.g. "Host !example"
report and patch from Robin Becker. bz#1918 ok dtucker@
|
Revision tags: OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.29 |
|
20-Nov-2013 |
deraadt |
unsigned casts for ctype macros where neccessary ok guenther millert markus
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.28 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.27 |
|
10-Jun-2008 |
djm |
support CIDR address matching in .ssh/authorized_keys from="..." stanzas
ok and extensive testing dtucker@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.26 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.25 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.24 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.23 |
|
20-Mar-2006 |
deraadt |
be strict with tolower() casting
|
#
1.22 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.21 |
|
22-Feb-2006 |
stevesk |
branches: 1.21.2; move #include <ctype.h> out of includes.h; ok djm@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.20 |
|
17-Jun-2005 |
djm |
branches: 1.20.2; make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.19 |
|
01-Mar-2002 |
markus |
branches: 1.19.12; 1.19.14; undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.18 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.17 |
|
11-Feb-2002 |
markus |
support up to 40 algorithms per proposal
|
#
1.16 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.15 |
|
05-Dec-2001 |
markus |
make theo and djm happy: bye bye regexp
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.14 |
|
27-Jun-2001 |
markus |
branches: 1.14.2; tridge@samba.org
|
#
1.13 |
|
24-Jun-2001 |
markus |
move ip+hostname check to match.c
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.12 |
|
10-Mar-2001 |
markus |
branches: 1.12.2; add PreferredAuthentications
|
#
1.11 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.10 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
branches: 1.9.2; cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
06-Jun-2000 |
markus |
fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
14-Apr-2000 |
markus |
branches: 1.6.2; whitespace cleanup
|
#
1.5 |
|
23-Mar-2000 |
markus |
initial support for DSA keys. ok deraadt@, niels@
|
#
1.4 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.3 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.2 |
|
23-Nov-1999 |
markus |
KNF part 1
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
#
1.38 |
|
04-Jul-2018 |
djm |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.37 |
|
10-Mar-2017 |
djm |
make hostname matching really insensitive to case; bz#2685, reported by Petr Cerny; ok dtucker@
|
#
1.36 |
|
10-Mar-2017 |
djm |
reword a comment to make it fit 80 columns
|
#
1.35 |
|
15-Feb-2017 |
jsg |
Fix memory leaks in match_filter_list() error paths.
ok dtucker@ markus@
|
#
1.34 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.33 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.32 |
|
21-Sep-2016 |
djm |
Revert two recent changes to negated address matching. The new behaviour offers unintuitive surprises. We'll find a better way to deal with single negated matches.
match.c 1.31: > fix matching for pattern lists that contain a single negated match, > e.g. "Host !example" > > report and patch from Robin Becker. bz#1918 ok dtucker@
addrmatch.c 1.11: > fix negated address matching where the address list consists of a > single negated match, e.g. "Match addr !192.20.0.1" > > Report and patch from Jakub Jelen. bz#2397 ok dtucker@
|
#
1.31 |
|
23-Aug-2016 |
djm |
fix matching for pattern lists that contain a single negated match, e.g. "Host !example"
report and patch from Robin Becker. bz#1918 ok dtucker@
|
Revision tags: OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.29 |
|
20-Nov-2013 |
deraadt |
unsigned casts for ctype macros where neccessary ok guenther millert markus
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.28 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.27 |
|
10-Jun-2008 |
djm |
support CIDR address matching in .ssh/authorized_keys from="..." stanzas
ok and extensive testing dtucker@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.26 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.25 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.24 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.23 |
|
20-Mar-2006 |
deraadt |
be strict with tolower() casting
|
#
1.22 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.21 |
|
22-Feb-2006 |
stevesk |
branches: 1.21.2; move #include <ctype.h> out of includes.h; ok djm@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.20 |
|
17-Jun-2005 |
djm |
branches: 1.20.2; make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.19 |
|
01-Mar-2002 |
markus |
branches: 1.19.12; 1.19.14; undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.18 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.17 |
|
11-Feb-2002 |
markus |
support up to 40 algorithms per proposal
|
#
1.16 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.15 |
|
05-Dec-2001 |
markus |
make theo and djm happy: bye bye regexp
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.14 |
|
27-Jun-2001 |
markus |
branches: 1.14.2; tridge@samba.org
|
#
1.13 |
|
24-Jun-2001 |
markus |
move ip+hostname check to match.c
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.12 |
|
10-Mar-2001 |
markus |
branches: 1.12.2; add PreferredAuthentications
|
#
1.11 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.10 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
branches: 1.9.2; cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
06-Jun-2000 |
markus |
fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
14-Apr-2000 |
markus |
branches: 1.6.2; whitespace cleanup
|
#
1.5 |
|
23-Mar-2000 |
markus |
initial support for DSA keys. ok deraadt@, niels@
|
#
1.4 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.3 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.2 |
|
23-Nov-1999 |
markus |
KNF part 1
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.37 |
|
10-Mar-2017 |
djm |
make hostname matching really insensitive to case; bz#2685, reported by Petr Cerny; ok dtucker@
|
#
1.36 |
|
10-Mar-2017 |
djm |
reword a comment to make it fit 80 columns
|
#
1.35 |
|
15-Feb-2017 |
jsg |
Fix memory leaks in match_filter_list() error paths.
ok dtucker@ markus@
|
#
1.34 |
|
03-Feb-2017 |
djm |
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
|
#
1.33 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.32 |
|
21-Sep-2016 |
djm |
Revert two recent changes to negated address matching. The new behaviour offers unintuitive surprises. We'll find a better way to deal with single negated matches.
match.c 1.31: > fix matching for pattern lists that contain a single negated match, > e.g. "Host !example" > > report and patch from Robin Becker. bz#1918 ok dtucker@
addrmatch.c 1.11: > fix negated address matching where the address list consists of a > single negated match, e.g. "Match addr !192.20.0.1" > > Report and patch from Jakub Jelen. bz#2397 ok dtucker@
|
#
1.31 |
|
23-Aug-2016 |
djm |
fix matching for pattern lists that contain a single negated match, e.g. "Host !example"
report and patch from Robin Becker. bz#1918 ok dtucker@
|
Revision tags: OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.29 |
|
20-Nov-2013 |
deraadt |
unsigned casts for ctype macros where neccessary ok guenther millert markus
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.28 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.27 |
|
10-Jun-2008 |
djm |
support CIDR address matching in .ssh/authorized_keys from="..." stanzas
ok and extensive testing dtucker@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE
|
#
1.26 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.25 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.24 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.23 |
|
20-Mar-2006 |
deraadt |
be strict with tolower() casting
|
#
1.22 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.21 |
|
22-Feb-2006 |
stevesk |
branches: 1.21.2; move #include <ctype.h> out of includes.h; ok djm@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.20 |
|
17-Jun-2005 |
djm |
branches: 1.20.2; make this -Wsign-compare clean; ok avsm@ markus@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.19 |
|
01-Mar-2002 |
markus |
branches: 1.19.12; 1.19.14; undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.18 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.17 |
|
11-Feb-2002 |
markus |
support up to 40 algorithms per proposal
|
#
1.16 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.15 |
|
05-Dec-2001 |
markus |
make theo and djm happy: bye bye regexp
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.14 |
|
27-Jun-2001 |
markus |
branches: 1.14.2; tridge@samba.org
|
#
1.13 |
|
24-Jun-2001 |
markus |
move ip+hostname check to match.c
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.12 |
|
10-Mar-2001 |
markus |
branches: 1.12.2; add PreferredAuthentications
|
#
1.11 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.10 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
branches: 1.9.2; cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
20-Jun-2000 |
markus |
OpenBSD tag
|
#
1.7 |
|
06-Jun-2000 |
markus |
fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
14-Apr-2000 |
markus |
branches: 1.6.2; whitespace cleanup
|
#
1.5 |
|
23-Mar-2000 |
markus |
initial support for DSA keys. ok deraadt@, niels@
|
#
1.4 |
|
24-Nov-1999 |
markus |
KNF, final part 3
|
#
1.3 |
|
24-Nov-1999 |
deraadt |
much more KNF
|
#
1.2 |
|
23-Nov-1999 |
markus |
KNF part 1
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.1 |
|
26-Sep-1999 |
deraadt |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license. well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
|