[openssh-commits] [openssh] branch master updated (79e4829 -> 85aa2ef)

git+noreply at mindrot.org git+noreply at mindrot.org
Wed Nov 30 19:45:37 AEDT 2016


This is an automated email from the git hooks/post-receive script.

djm pushed a change to branch master
in repository openssh.

      from  79e4829   upstream commit
       new  c9f880c   factor out common PRNG reseed before privdrop
       new  7fc4766   upstream commit
       new  fd6dcef   upstream commit
       new  7844f35   upstream commit
       new  786d599   upstream commit
       new  5d33313   upstream commit
       new  85aa2ef   upstream commit

The 7 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit 85aa2efeba51a96bf6834f9accf2935d96150296
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Nov 30 03:01:33 2016 +0000

    upstream commit
    
    test new behaviour of cert force-command restriction vs.
    authorized_key/ principals
    
    Upstream-Regress-ID: 399efa7469d40c404c0b0a295064ce75d495387c

commit 5d333131cd8519d022389cfd3236280818dae1bc
Author: jmc at openbsd.org <jmc at openbsd.org>
Date:   Wed Nov 30 06:54:26 2016 +0000

    upstream commit
    
    tweak previous; while here fix up FILES and AUTHORS;
    
    Upstream-ID: 93f6e54086145a75df8d8ec7d8689bdadbbac8fa

commit 786d5994da79151180cb14a6cf157ebbba61c0cc
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Nov 30 03:07:37 2016 +0000

    upstream commit
    
    add a whitelist of paths from which ssh-agent will load
    (via ssh-pkcs11-helper) a PKCS#11 module; ok markus@
    
    Upstream-ID: fe79769469d9cd6d26fe0dc15751b83ef2a06e8f

commit 7844f357cdd90530eec81340847783f1f1da010b
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Nov 30 03:00:05 2016 +0000

    upstream commit
    
    Add a sshd_config DisableForwaring option that disables
    X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
    anything else we might implement in the future.
    
    This, like the 'restrict' authorized_keys flag, is intended to be a
    simple and future-proof way of restricting an account. Suggested as
    a complement to 'restrict' by Jann Horn; ok markus@
    
    Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7

commit fd6dcef2030d23c43f986d26979f84619c10589d
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Nov 30 02:57:40 2016 +0000

    upstream commit
    
    When a forced-command appears in both a certificate and
    an authorized keys/principals command= restriction, refuse to accept the
    certificate unless they are identical.
    
    The previous (documented) behaviour of having the certificate forced-
    command override the other could be a bit confused and more error-prone.
    
    Pointed out by Jann Horn of Project Zero; ok dtucker@
    
    Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f

commit 7fc4766ac78abae81ee75b22b7550720bfa28a33
Author: dtucker at openbsd.org <dtucker at openbsd.org>
Date:   Wed Nov 30 00:28:31 2016 +0000

    upstream commit
    
    On startup, check to see if sshd is already daemonized
    and if so, skip the call to daemon() and do not rewrite the PidFile.  This
    means that when sshd re-execs itself on SIGHUP the process ID will no longer
    change.  Should address bz#2641.  ok djm@ markus at .
    
    Upstream-ID: 5ea0355580056fb3b25c1fd6364307d9638a37b9

commit c9f880c195c65f1dddcbc4ce9d6bfea7747debcc
Author: Damien Miller <djm at mindrot.org>
Date:   Wed Nov 30 13:51:49 2016 +1100

    factor out common PRNG reseed before privdrop
    
    Add a call to RAND_poll() to ensure than more than pid+time gets
    stirred into child processes states. Prompted by analysis from Jann
    Horn at Project Zero. ok dtucker@

Summary of changes:
 auth-options.c          | 27 +++++++++++++++++------
 auth-options.h          |  4 ++--
 auth2-pubkey.c          | 18 +++++++---------
 misc.c                  | 20 ++++++++++++++++-
 misc.h                  |  3 ++-
 regress/cert-userkey.sh | 16 +++++++++++++-
 servconf.c              | 14 ++++++++++--
 servconf.h              |  3 ++-
 serverloop.c            | 10 ++++-----
 session.c               |  4 ++--
 ssh-agent.1             | 36 +++++++++++++++++++++----------
 ssh-agent.c             | 43 ++++++++++++++++++++++++++++++-------
 sshd.8                  | 18 +++++++++++-----
 sshd.c                  | 57 +++++++++++++++++++++++++++----------------------
 sshd_config.5           | 10 +++++++--
 15 files changed, 200 insertions(+), 83 deletions(-)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list