match_user() shouldn't be called with user==NULL unless
host and ipaddr are also NULL

fold consecutive '*' wildcards to mitigate combinatorial explosion
of recursive searches; ok dtucker

some language improvements; ok markus

stdarg.h required more broadly; ok djm

space

Move checks for lists of users or groups into their own function.
This is a no-op on OpenBSD but will make things easier in -portable,
eg on systems where these checks should be case-insensitive. ok djm@

repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work -
returns ability to add/remove/specify algorithms by wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

make hostname matching really insensitive to case; bz#2685,
reported by Petr Cerny; ok dtucker@

reword a comment to make it fit 80 columns

Fix memory leaks in match_filter_list() error paths.

ok dtucker@ markus@

support =- for removing methods from algorithms lists, e.g.
Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671
"I like it" markus@

Validate address ranges for AllowUser/DenyUsers at configuration load
time and refuse to accept bad ones. It was previously possible to
specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these
would always match.

Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)

Revert two recent changes to negated address matching. The new
behaviour offers unintuitive surprises. We'll find a better way
to deal with single negated matches.

match.c 1.31:
> fix matching for pattern lists that contain a single negated match,
> e.g. "Host !example"
>
> report and patch from Robin Becker. bz#1918 ok dtucker@

addrmatch.c 1.11:
> fix negated address matching where the address list consists of a
> single negated match, e.g. "Match addr !192.20.0.1"
>
> Report and patch from Jakub Jelen. bz#2397 ok dtucker@

fix matching for pattern lists that contain a single negated match,
e.g. "Host !example"

report and patch from Robin Becker. bz#1918 ok dtucker@

Remove pattern length argument from match_pattern_list(),
we only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@

unsigned casts for ctype macros where neccessary
ok guenther millert markus

bye, bye xfree(); ok markus@

support CIDR address matching in .ssh/authorized_keys from="..." stanzas

ok and extensive testing dtucker@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

be strict with tolower() casting

RCSID() can die

branches: 1.21.2;
move #include <ctype.h> out of includes.h; ok djm@

branches: 1.20.2;
make this -Wsign-compare clean; ok avsm@ markus@

branches: 1.19.12; 1.19.14;
undo the 'delay hostname lookup' change
match.c must not use compress.c (via canonhost.c/packet.c)
thanks to wilfried@

delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers
for sshd -u0; ok markus@

support up to 40 algorithms per proposal

basic KNF done while i was looking for something else

make theo and djm happy: bye bye regexp

branches: 1.14.2;
tridge@samba.org

move ip+hostname check to match.c

branches: 1.12.2;
add PreferredAuthentications

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

branches: 1.9.2;
cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all

branches: 1.6.2;
whitespace cleanup

initial support for DSA keys. ok deraadt@, niels@

KNF, final part 3

much more KNF

KNF part 1

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

fold consecutive '*' wildcards to mitigate combinatorial explosion
of recursive searches; ok dtucker

some language improvements; ok markus

stdarg.h required more broadly; ok djm

space

Move checks for lists of users or groups into their own function.
This is a no-op on OpenBSD but will make things easier in -portable,
eg on systems where these checks should be case-insensitive. ok djm@

repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work -
returns ability to add/remove/specify algorithms by wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

make hostname matching really insensitive to case; bz#2685,
reported by Petr Cerny; ok dtucker@

reword a comment to make it fit 80 columns

Fix memory leaks in match_filter_list() error paths.

ok dtucker@ markus@

support =- for removing methods from algorithms lists, e.g.
Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671
"I like it" markus@

Validate address ranges for AllowUser/DenyUsers at configuration load
time and refuse to accept bad ones. It was previously possible to
specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these
would always match.

Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)

Revert two recent changes to negated address matching. The new
behaviour offers unintuitive surprises. We'll find a better way
to deal with single negated matches.

match.c 1.31:
> fix matching for pattern lists that contain a single negated match,
> e.g. "Host !example"
>
> report and patch from Robin Becker. bz#1918 ok dtucker@

addrmatch.c 1.11:
> fix negated address matching where the address list consists of a
> single negated match, e.g. "Match addr !192.20.0.1"
>
> Report and patch from Jakub Jelen. bz#2397 ok dtucker@

fix matching for pattern lists that contain a single negated match,
e.g. "Host !example"

report and patch from Robin Becker. bz#1918 ok dtucker@

Remove pattern length argument from match_pattern_list(),
we only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@

unsigned casts for ctype macros where neccessary
ok guenther millert markus

bye, bye xfree(); ok markus@

support CIDR address matching in .ssh/authorized_keys from="..." stanzas

ok and extensive testing dtucker@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

be strict with tolower() casting

RCSID() can die

branches: 1.21.2;
move #include <ctype.h> out of includes.h; ok djm@

branches: 1.20.2;
make this -Wsign-compare clean; ok avsm@ markus@

branches: 1.19.12; 1.19.14;
undo the 'delay hostname lookup' change
match.c must not use compress.c (via canonhost.c/packet.c)
thanks to wilfried@

delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers
for sshd -u0; ok markus@

support up to 40 algorithms per proposal

basic KNF done while i was looking for something else

make theo and djm happy: bye bye regexp

branches: 1.14.2;
tridge@samba.org

move ip+hostname check to match.c

branches: 1.12.2;
add PreferredAuthentications

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

branches: 1.9.2;
cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all

branches: 1.6.2;
whitespace cleanup

initial support for DSA keys. ok deraadt@, niels@

KNF, final part 3

much more KNF

KNF part 1

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

some language improvements; ok markus

stdarg.h required more broadly; ok djm

space

Move checks for lists of users or groups into their own function.
This is a no-op on OpenBSD but will make things easier in -portable,
eg on systems where these checks should be case-insensitive. ok djm@

repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work -
returns ability to add/remove/specify algorithms by wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

make hostname matching really insensitive to case; bz#2685,
reported by Petr Cerny; ok dtucker@

reword a comment to make it fit 80 columns

Fix memory leaks in match_filter_list() error paths.

ok dtucker@ markus@

support =- for removing methods from algorithms lists, e.g.
Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671
"I like it" markus@

Validate address ranges for AllowUser/DenyUsers at configuration load
time and refuse to accept bad ones. It was previously possible to
specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these
would always match.

Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)

Revert two recent changes to negated address matching. The new
behaviour offers unintuitive surprises. We'll find a better way
to deal with single negated matches.

match.c 1.31:
> fix matching for pattern lists that contain a single negated match,
> e.g. "Host !example"
>
> report and patch from Robin Becker. bz#1918 ok dtucker@

addrmatch.c 1.11:
> fix negated address matching where the address list consists of a
> single negated match, e.g. "Match addr !192.20.0.1"
>
> Report and patch from Jakub Jelen. bz#2397 ok dtucker@

fix matching for pattern lists that contain a single negated match,
e.g. "Host !example"

report and patch from Robin Becker. bz#1918 ok dtucker@

Remove pattern length argument from match_pattern_list(),
we only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@

unsigned casts for ctype macros where neccessary
ok guenther millert markus

bye, bye xfree(); ok markus@

support CIDR address matching in .ssh/authorized_keys from="..." stanzas

ok and extensive testing dtucker@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

be strict with tolower() casting

RCSID() can die

branches: 1.21.2;
move #include <ctype.h> out of includes.h; ok djm@

branches: 1.20.2;
make this -Wsign-compare clean; ok avsm@ markus@

branches: 1.19.12; 1.19.14;
undo the 'delay hostname lookup' change
match.c must not use compress.c (via canonhost.c/packet.c)
thanks to wilfried@

delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers
for sshd -u0; ok markus@

support up to 40 algorithms per proposal

basic KNF done while i was looking for something else

make theo and djm happy: bye bye regexp

branches: 1.14.2;
tridge@samba.org

move ip+hostname check to match.c

branches: 1.12.2;
add PreferredAuthentications

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

branches: 1.9.2;
cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all

branches: 1.6.2;
whitespace cleanup

initial support for DSA keys. ok deraadt@, niels@

KNF, final part 3

much more KNF

KNF part 1

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

stdarg.h required more broadly; ok djm

space

Move checks for lists of users or groups into their own function.
This is a no-op on OpenBSD but will make things easier in -portable,
eg on systems where these checks should be case-insensitive. ok djm@

repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work -
returns ability to add/remove/specify algorithms by wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

make hostname matching really insensitive to case; bz#2685,
reported by Petr Cerny; ok dtucker@

reword a comment to make it fit 80 columns

Fix memory leaks in match_filter_list() error paths.

ok dtucker@ markus@

support =- for removing methods from algorithms lists, e.g.
Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671
"I like it" markus@

Validate address ranges for AllowUser/DenyUsers at configuration load
time and refuse to accept bad ones. It was previously possible to
specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these
would always match.

Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)

Revert two recent changes to negated address matching. The new
behaviour offers unintuitive surprises. We'll find a better way
to deal with single negated matches.

match.c 1.31:
> fix matching for pattern lists that contain a single negated match,
> e.g. "Host !example"
>
> report and patch from Robin Becker. bz#1918 ok dtucker@

addrmatch.c 1.11:
> fix negated address matching where the address list consists of a
> single negated match, e.g. "Match addr !192.20.0.1"
>
> Report and patch from Jakub Jelen. bz#2397 ok dtucker@

fix matching for pattern lists that contain a single negated match,
e.g. "Host !example"

report and patch from Robin Becker. bz#1918 ok dtucker@

Remove pattern length argument from match_pattern_list(),
we only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@

unsigned casts for ctype macros where neccessary
ok guenther millert markus

bye, bye xfree(); ok markus@

support CIDR address matching in .ssh/authorized_keys from="..." stanzas

ok and extensive testing dtucker@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

be strict with tolower() casting

RCSID() can die

branches: 1.21.2;
move #include <ctype.h> out of includes.h; ok djm@

branches: 1.20.2;
make this -Wsign-compare clean; ok avsm@ markus@

branches: 1.19.12; 1.19.14;
undo the 'delay hostname lookup' change
match.c must not use compress.c (via canonhost.c/packet.c)
thanks to wilfried@

delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers
for sshd -u0; ok markus@

support up to 40 algorithms per proposal

basic KNF done while i was looking for something else

make theo and djm happy: bye bye regexp

branches: 1.14.2;
tridge@samba.org

move ip+hostname check to match.c

branches: 1.12.2;
add PreferredAuthentications

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

branches: 1.9.2;
cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all

branches: 1.6.2;
whitespace cleanup

initial support for DSA keys. ok deraadt@, niels@

KNF, final part 3

much more KNF

KNF part 1

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

space

Move checks for lists of users or groups into their own function.
This is a no-op on OpenBSD but will make things easier in -portable,
eg on systems where these checks should be case-insensitive. ok djm@

repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work -
returns ability to add/remove/specify algorithms by wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

make hostname matching really insensitive to case; bz#2685,
reported by Petr Cerny; ok dtucker@

reword a comment to make it fit 80 columns

Fix memory leaks in match_filter_list() error paths.

ok dtucker@ markus@

support =- for removing methods from algorithms lists, e.g.
Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671
"I like it" markus@

Validate address ranges for AllowUser/DenyUsers at configuration load
time and refuse to accept bad ones. It was previously possible to
specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these
would always match.

Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)

Revert two recent changes to negated address matching. The new
behaviour offers unintuitive surprises. We'll find a better way
to deal with single negated matches.

match.c 1.31:
> fix matching for pattern lists that contain a single negated match,
> e.g. "Host !example"
>
> report and patch from Robin Becker. bz#1918 ok dtucker@

addrmatch.c 1.11:
> fix negated address matching where the address list consists of a
> single negated match, e.g. "Match addr !192.20.0.1"
>
> Report and patch from Jakub Jelen. bz#2397 ok dtucker@

fix matching for pattern lists that contain a single negated match,
e.g. "Host !example"

report and patch from Robin Becker. bz#1918 ok dtucker@

Remove pattern length argument from match_pattern_list(),
we only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@

unsigned casts for ctype macros where neccessary
ok guenther millert markus

bye, bye xfree(); ok markus@

support CIDR address matching in .ssh/authorized_keys from="..." stanzas

ok and extensive testing dtucker@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

be strict with tolower() casting

RCSID() can die

branches: 1.21.2;
move #include <ctype.h> out of includes.h; ok djm@

branches: 1.20.2;
make this -Wsign-compare clean; ok avsm@ markus@

branches: 1.19.12; 1.19.14;
undo the 'delay hostname lookup' change
match.c must not use compress.c (via canonhost.c/packet.c)
thanks to wilfried@

delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers
for sshd -u0; ok markus@

support up to 40 algorithms per proposal

basic KNF done while i was looking for something else

make theo and djm happy: bye bye regexp

branches: 1.14.2;
tridge@samba.org

move ip+hostname check to match.c

branches: 1.12.2;
add PreferredAuthentications

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

branches: 1.9.2;
cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all

branches: 1.6.2;
whitespace cleanup

initial support for DSA keys. ok deraadt@, niels@

KNF, final part 3

much more KNF

KNF part 1

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

Move checks for lists of users or groups into their own function.
This is a no-op on OpenBSD but will make things easier in -portable,
eg on systems where these checks should be case-insensitive. ok djm@

repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work -
returns ability to add/remove/specify algorithms by wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

make hostname matching really insensitive to case; bz#2685,
reported by Petr Cerny; ok dtucker@

reword a comment to make it fit 80 columns

Fix memory leaks in match_filter_list() error paths.

ok dtucker@ markus@

support =- for removing methods from algorithms lists, e.g.
Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671
"I like it" markus@

Validate address ranges for AllowUser/DenyUsers at configuration load
time and refuse to accept bad ones. It was previously possible to
specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these
would always match.

Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)

Revert two recent changes to negated address matching. The new
behaviour offers unintuitive surprises. We'll find a better way
to deal with single negated matches.

match.c 1.31:
> fix matching for pattern lists that contain a single negated match,
> e.g. "Host !example"
>
> report and patch from Robin Becker. bz#1918 ok dtucker@

addrmatch.c 1.11:
> fix negated address matching where the address list consists of a
> single negated match, e.g. "Match addr !192.20.0.1"
>
> Report and patch from Jakub Jelen. bz#2397 ok dtucker@

fix matching for pattern lists that contain a single negated match,
e.g. "Host !example"

report and patch from Robin Becker. bz#1918 ok dtucker@

Remove pattern length argument from match_pattern_list(),
we only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@

unsigned casts for ctype macros where neccessary
ok guenther millert markus

bye, bye xfree(); ok markus@

support CIDR address matching in .ssh/authorized_keys from="..." stanzas

ok and extensive testing dtucker@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

be strict with tolower() casting

RCSID() can die

branches: 1.21.2;
move #include <ctype.h> out of includes.h; ok djm@

branches: 1.20.2;
make this -Wsign-compare clean; ok avsm@ markus@

branches: 1.19.12; 1.19.14;
undo the 'delay hostname lookup' change
match.c must not use compress.c (via canonhost.c/packet.c)
thanks to wilfried@

delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers
for sshd -u0; ok markus@

support up to 40 algorithms per proposal

basic KNF done while i was looking for something else

make theo and djm happy: bye bye regexp

branches: 1.14.2;
tridge@samba.org

move ip+hostname check to match.c

branches: 1.12.2;
add PreferredAuthentications

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

branches: 1.9.2;
cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all

branches: 1.6.2;
whitespace cleanup

initial support for DSA keys. ok deraadt@, niels@

KNF, final part 3

much more KNF

KNF part 1

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work -
returns ability to add/remove/specify algorithms by wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

make hostname matching really insensitive to case; bz#2685,
reported by Petr Cerny; ok dtucker@

reword a comment to make it fit 80 columns

Fix memory leaks in match_filter_list() error paths.

ok dtucker@ markus@

support =- for removing methods from algorithms lists, e.g.
Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671
"I like it" markus@

Validate address ranges for AllowUser/DenyUsers at configuration load
time and refuse to accept bad ones. It was previously possible to
specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these
would always match.

Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)

Revert two recent changes to negated address matching. The new
behaviour offers unintuitive surprises. We'll find a better way
to deal with single negated matches.

match.c 1.31:
> fix matching for pattern lists that contain a single negated match,
> e.g. "Host !example"
>
> report and patch from Robin Becker. bz#1918 ok dtucker@

addrmatch.c 1.11:
> fix negated address matching where the address list consists of a
> single negated match, e.g. "Match addr !192.20.0.1"
>
> Report and patch from Jakub Jelen. bz#2397 ok dtucker@

fix matching for pattern lists that contain a single negated match,
e.g. "Host !example"

report and patch from Robin Becker. bz#1918 ok dtucker@

Remove pattern length argument from match_pattern_list(),
we only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@

unsigned casts for ctype macros where neccessary
ok guenther millert markus

bye, bye xfree(); ok markus@

support CIDR address matching in .ssh/authorized_keys from="..." stanzas

ok and extensive testing dtucker@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

be strict with tolower() casting

RCSID() can die

branches: 1.21.2;
move #include <ctype.h> out of includes.h; ok djm@

branches: 1.20.2;
make this -Wsign-compare clean; ok avsm@ markus@

branches: 1.19.12; 1.19.14;
undo the 'delay hostname lookup' change
match.c must not use compress.c (via canonhost.c/packet.c)
thanks to wilfried@

delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers
for sshd -u0; ok markus@

support up to 40 algorithms per proposal

basic KNF done while i was looking for something else

make theo and djm happy: bye bye regexp

branches: 1.14.2;
tridge@samba.org

move ip+hostname check to match.c

branches: 1.12.2;
add PreferredAuthentications

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

branches: 1.9.2;
cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all

branches: 1.6.2;
whitespace cleanup

initial support for DSA keys. ok deraadt@, niels@

KNF, final part 3

much more KNF

KNF part 1

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

make hostname matching really insensitive to case; bz#2685,
reported by Petr Cerny; ok dtucker@

reword a comment to make it fit 80 columns

Fix memory leaks in match_filter_list() error paths.

ok dtucker@ markus@

support =- for removing methods from algorithms lists, e.g.
Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671
"I like it" markus@

Validate address ranges for AllowUser/DenyUsers at configuration load
time and refuse to accept bad ones. It was previously possible to
specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these
would always match.

Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)

Revert two recent changes to negated address matching. The new
behaviour offers unintuitive surprises. We'll find a better way
to deal with single negated matches.

match.c 1.31:
> fix matching for pattern lists that contain a single negated match,
> e.g. "Host !example"
>
> report and patch from Robin Becker. bz#1918 ok dtucker@

addrmatch.c 1.11:
> fix negated address matching where the address list consists of a
> single negated match, e.g. "Match addr !192.20.0.1"
>
> Report and patch from Jakub Jelen. bz#2397 ok dtucker@

fix matching for pattern lists that contain a single negated match,
e.g. "Host !example"

report and patch from Robin Becker. bz#1918 ok dtucker@

Remove pattern length argument from match_pattern_list(),
we only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@

unsigned casts for ctype macros where neccessary
ok guenther millert markus

bye, bye xfree(); ok markus@

support CIDR address matching in .ssh/authorized_keys from="..." stanzas

ok and extensive testing dtucker@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

be strict with tolower() casting

RCSID() can die

branches: 1.21.2;
move #include <ctype.h> out of includes.h; ok djm@

branches: 1.20.2;
make this -Wsign-compare clean; ok avsm@ markus@

branches: 1.19.12; 1.19.14;
undo the 'delay hostname lookup' change
match.c must not use compress.c (via canonhost.c/packet.c)
thanks to wilfried@

delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers
for sshd -u0; ok markus@

support up to 40 algorithms per proposal

basic KNF done while i was looking for something else

make theo and djm happy: bye bye regexp

branches: 1.14.2;
tridge@samba.org

move ip+hostname check to match.c

branches: 1.12.2;
add PreferredAuthentications

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

branches: 1.9.2;
cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all

branches: 1.6.2;
whitespace cleanup

initial support for DSA keys. ok deraadt@, niels@

KNF, final part 3

much more KNF

KNF part 1

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.