[openssh-commits] [openssh] branch master updated (0585b569 -> c6f06fd3)

git+noreply at mindrot.org git+noreply at mindrot.org
Sat Jan 25 11:36:26 AEDT 2020 

This is an automated email from the git hooks/post-receive script.

djm pushed a change to branch master
in repository openssh.

      from  0585b569  upstream: Do not warn about permissions on symlinks.
       new  72a8bea2  upstream: ssh-keygen -Y find-principals fixes based on feedback
       new  8dfb6a20  upstream: allow PEM export of DSA and ECDSA keys; bz3091, patch
       new  4a41d245  upstream: when signing a certificate with an RSA key, default to
       new  c3368a5d  upstream: remove ssh-rsa (SHA1) from the list of allowed CA
       new  d15c8adf  upstream: minor tweaks to ssh-keygen -Y find-principals:
       new  8075fccb  upstream: add xextendf() to extend a string with a format
       new  a8c05c64  upstream: tweak proctitle to include sshd arguments, as these are
       new  89a8d452  upstream: expose PKCS#11 key labels/X.509 subjects as comments
       new  e5a278a6  upstream: process security key provider via realpath() in agent,
       new  7955633a  upstream: allow UpdateKnownHosts=yes to function when multiple
       new  c6f06fd3  upstream: set UpdateKnownHosts=ask by default; bz#2894; ok

The 11 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit c6f06fd38a257b9fcc7d6760f8fb6d505dccb628
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sat Jan 25 00:22:31 2020 +0000

    upstream: set UpdateKnownHosts=ask by default; bz#2894; ok
    
    markus@
    
    OpenBSD-Commit-ID: f09cb3177f3a14c96428e14f347e976a8a531fee

commit 7955633a554397bc24913cec9fd7285002935f7e
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sat Jan 25 00:21:08 2020 +0000

    upstream: allow UpdateKnownHosts=yes to function when multiple
    
    known_hosts files are in use. When updating host keys, ssh will now search
    subsequent known_hosts files, but will add new/changed host keys to the first
    specified file only. bz#2738
    
    ok markus@
    
    OpenBSD-Commit-ID: 6ded6d878a03e57d5aa20bab9c31f92e929dbc6c

commit e5a278a62ab49dffe96929fa8d8506c6928dba90
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sat Jan 25 00:06:48 2020 +0000

    upstream: process security key provider via realpath() in agent,
    
    avoids malicious client from being able to cause agent to load arbitrary
    libraries into ssh-sk-helper.
    
    reported by puck AT puckipedia.com; ok markus
    
    OpenBSD-Commit-ID: 1086643df1b7eee4870825c687cf0c26a6145d1c

commit 89a8d4525e8edd9958ed3df60cf683551142eae0
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sat Jan 25 00:03:36 2020 +0000

    upstream: expose PKCS#11 key labels/X.509 subjects as comments
    
    Extract the key label or X.509 subject string when PKCS#11 keys
    are retrieved from the token and plumb this through to places where
    it may be used as a comment.
    
    based on https://github.com/openssh/openssh-portable/pull/138
    by Danielle Church
    
    feedback and ok markus@
    
    OpenBSD-Commit-ID: cae1fda10d9e10971dea29520916e27cfec7ca35

commit a8c05c640873621681ab64d2e47a314592d5efa2
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Jan 24 23:56:01 2020 +0000

    upstream: tweak proctitle to include sshd arguments, as these are
    
    frequently used to distinguish between multiple independent instances of the
    server. New proctitle looks like this:
    
    $ pgrep -lf sshd
    12844 sshd: /usr/sbin/sshd -f /etc/ssh/sshd_config [listener] 0 of 10-100 startups
    
    requested by sthen@ and aja@; ok aja@
    
    OpenBSD-Commit-ID: cf235a561c655a3524a82003cf7244ecb48ccc1e

commit 8075fccbd4f70a4371acabcfb47562471ff0de6f
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Jan 24 23:54:40 2020 +0000

    upstream: add xextendf() to extend a string with a format
    
    (reallocating as necessary). ok aja@ as part of a larger diff
    
    OpenBSD-Commit-ID: 30796b50d330b3e0e201747fe40cdf9aa70a77f9

commit d15c8adf2c6f1a6b4845131074383eb9c3d05c3d
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Jan 24 05:33:01 2020 +0000

    upstream: minor tweaks to ssh-keygen -Y find-principals:
    
    emit matched principals one per line to stdout rather than as comma-
    separated and with a free-text preamble (easy confusion opportunity)
    
    emit "not found" error to stderr
    
    fix up argument testing for -Y operations and improve error message for
    unsupported operations
    
    OpenBSD-Commit-ID: 3d9c9a671ab07fc04a48f543edfa85eae77da69c

commit c3368a5d5ec368ef6bdf9971d6330ca0e3bdca06
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Jan 24 00:28:57 2020 +0000

    upstream: remove ssh-rsa (SHA1) from the list of allowed CA
    
    signature algorithms ok markus
    
    OpenBSD-Commit-ID: da3481fca8c81e6951f319a86b7be67502237f57

commit 4a41d245d6b13bd3882c8dc058dbd2e2b39a9f67
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Jan 24 00:27:04 2020 +0000

    upstream: when signing a certificate with an RSA key, default to
    
    a safe signature algorithm (rsa-sha-512) if not is explicitly specified by
    the user; ok markus@
    
    OpenBSD-Commit-ID: e05f638f0be6c0266e1d3d799716b461011e83a9

commit 8dfb6a202c96cdf037c8ce05e53e32e0e0b7b454
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Jan 24 00:00:31 2020 +0000

    upstream: allow PEM export of DSA and ECDSA keys; bz3091, patch
    
    from Jakub Jelen ok markus@
    
    OpenBSD-Commit-ID: a58edec8b9f07acab4b962a71a5125830d321b51

commit 72a8bea2d748c8bd7f076a8b39a52082c79ae95f
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Jan 23 23:31:52 2020 +0000

    upstream: ssh-keygen -Y find-principals fixes based on feedback
    
    from Markus:
    
    use "principals" instead of principal, as allowed_signers lines may list
    multiple.
    
    When the signing key is a certificate, emit only principals that match
    the certificate principal list.
    
    NB. the command -Y name changes: "find-principal" => "find-principals"
    
    ok markus@
    
    OpenBSD-Commit-ID: ab575946ff9a55624cd4e811bfd338bf3b1d0faf

Summary of changes:
 clientloop.c        |  57 +++++++++++++++------
 hostfile.c          |   3 +-
 misc.c              |  29 ++++++++++-
 misc.h              |   4 +-
 myproposal.h        |   5 +-
 readconf.c          |   4 +-
 ssh-agent.c         |  43 +++++++++++-----
 ssh-keygen.1        |  11 ++--
 ssh-keygen.c        |  85 ++++++++++++++++++++-----------
 ssh-pkcs11-client.c |  14 ++++--
 ssh-pkcs11-helper.c |  21 +++++---
 ssh-pkcs11.c        | 142 ++++++++++++++++++++++++++++++++--------------------
 ssh-pkcs11.h        |   4 +-
 ssh.c               |  14 +++---
 sshd.c              |  22 ++++++--
 sshsig.c            |  74 +++++++++++++++++++++++----
 sshsig.h            |   5 +-
 17 files changed, 378 insertions(+), 159 deletions(-)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list