djm [Wed, 25 Sep 2024 01:24:04 +0000 (01:24 +0000)]
fix regression introduced when I switched the "Match" criteria tokeniser
to a more shell-like one. Apparently the old tokeniser (accidentally?)
allowed "Match criteria=argument" as well as the "Match criteria argument"
syntax that we tested for.
People were using this syntax so this adds back support for
"Match criteria=argument"
bz3739 ok dtucker
jmc [Tue, 24 Sep 2024 20:02:39 +0000 (20:02 +0000)]
- VM(s) -> VMs
- simpler tense
- fix the -width parameter
- add -nosplit to AUTHORS
mlarkin [Tue, 24 Sep 2024 19:34:01 +0000 (19:34 +0000)]
vmd(8) manpage change for shutdown behaviour
Document the shutdown behaviour for vmd(8). Suggested via bugs@
via eric at mulh.net.
ok jmc@, bluhm@
sthen [Tue, 24 Sep 2024 14:20:31 +0000 (14:20 +0000)]
backout scanner.l strtonum commits; they restrict numbers to INT_MAX,
breaking filter expressions like "ether[14:4]=0xaaaa0300". ok op@ deraadt@
-/--------------------------
revision 1.32
date: 2024/08/29 07:33:50; author: anton; state: Exp; lines: +2 -2; commitid: ZYtBn8qrrNNh87on;
Fix regression introduced in previous migration to strtol() by
correcting the error condition, making it on par with the example in the
manual.
ok op@
-/--------------------------
revision 1.31
date: 2024/08/28 11:40:33; author: op; state: Exp; lines: +13 -31; commitid: RirJPBPfGo9NeSE6;
libpcap: replace hand-rolled number parser with strtol
can't use strtonum here since it needs to handle octal and hex
notations as well. Part of a larger diff that's ok beck@
-/--------------------------
bluhm [Tue, 24 Sep 2024 12:37:11 +0000 (12:37 +0000)]
Fix sleeping race during malloc in sysctl hw.disknames.
When mallocarray(9) sleeps, disk_count can change, and diskstatslen
gets inconsistent. This caused free(9) to panic.
Reported-by: syzbot+36e1f3b306f721f90c72@syzkaller.appspotmail.com
OK deraadt@ mpi@
florian [Tue, 24 Sep 2024 07:33:35 +0000 (07:33 +0000)]
Remove -r toggle and generally be less smart.
The default is to install the next release. Snapshots are only
installed when invoked with -s.
The logic on what to do per default got out of hand and it was very
difficult to reason about what sysupgrade(8) actually did. deraadt@
then suggested that we should dumb it all down, sysupgrade(8) is there
to upgrade from one release to the next. More advance usage needs to
be requested by the user.
With all this simplification we can now be a bit more smart to work
out what the next release is. With that, snapshots right before a
release can be sysupgrade(8)'ed to the official release.
OK sthen on a previous version that was much more complicated but
allowed shortly-before-release -> release upgrade
testing sthen on this version
Guidance, prodding & OK deraadt
djm [Tue, 24 Sep 2024 02:28:17 +0000 (02:28 +0000)]
some extra paranoia, reminded by jsg@
jsg [Tue, 24 Sep 2024 02:25:20 +0000 (02:25 +0000)]
___linux__ -> __linux__
deraadt [Tue, 24 Sep 2024 02:22:42 +0000 (02:22 +0000)]
for sysctl on arm64, handle CPU_ID_AA64ISAR1 same as CPU_ID_AA64ISAR0
ok sthen
deraadt [Mon, 23 Sep 2024 21:18:33 +0000 (21:18 +0000)]
If during parsing lines in the script, ksh finds a NUL byte on the
line, it should abort ("syntax error: NUL byte unexpected"). There
appears to be one piece of software which is misinterpreting guidance
of this, and trying to depend upon embedded NUL. During research,
every shell we tested has one or more cases where a NUL byte in the
input or inside variable contents will create divergent behaviour from
other shells. (ie. gets converted to a space, is silently skipped, or
aborts script parsing or later execution). All the shells are written
in C, and majority of them use C strings for everything, which means
they cannot embed a NUL, so this is not surprising. It is quite
unbelievable there are people trying to rewrite history on a lark, and
expecting the world to follow alone.
If there is ONE THING the Unix world needs, it is for bash/ksh/sh to
stop diverging further by permitting STUPID INPUT that cannot
plausibly work in all other shells. We are in a post-Postel world.
It remains possible to put arbitrary bytes *AFTER* the parts of the
shell script that get parsed & executed (like some Solaris patch files
do). But you can't put arbirary bytes in the middle, ahead of shell
script parsed lines, because shells can't jump to arbitrary offsets
inside the input file, they go THROUGH all the 'valid shell script
text lines' to get there.
This was in snapshots for more than 2 months, and only spotted one
other program depending on the behaviour (and that test program did
not observe that it was therefore depending in incorrect behaviour!!)
ok ingo. Softer ok's from various others.
deraadt [Mon, 23 Sep 2024 21:05:28 +0000 (21:05 +0000)]
now hacking on 7.6-current
(corrected)
kn [Mon, 23 Sep 2024 20:54:01 +0000 (20:54 +0000)]
Replace `&&' with `if' for proper $? handling; OK lucas
iked and isakmpd guard against themselves with "return 0" as rc.subr(8)
checks rc_pre()'s return code and aborts daemo start iff non-zero, but
that isn't needed if we use ksh properly.
deraadt [Mon, 23 Sep 2024 20:50:47 +0000 (20:50 +0000)]
now hacking on 7.6-current
kn [Mon, 23 Sep 2024 20:44:24 +0000 (20:44 +0000)]
zap redundant "|| return 1"; OK lucas
unbound-checkconf(8) itself exits 1 on error already.
kn [Mon, 23 Sep 2024 20:38:49 +0000 (20:38 +0000)]
document SIOCSIFMTU; OK jmc
kn [Mon, 23 Sep 2024 20:37:42 +0000 (20:37 +0000)]
sync struct defintions from headers; OK jmc
jsg [Mon, 23 Sep 2024 13:50:33 +0000 (13:50 +0000)]
recognise Neoverse V3AE (Poseidon AE)
jsg [Mon, 23 Sep 2024 03:59:43 +0000 (03:59 +0000)]
regen
jsg [Mon, 23 Sep 2024 03:59:03 +0000 (03:59 +0000)]
add more Navi 32 and Navi 33 device ids
7460 rev 00 is Radeon Pro V710
7461 rev 00 is Radeon Pro V710
7499 rev 00 is Radeon Pro W7400
7499 rev c0 is Radeon RX 7400
7499 rev c1 is Radeon RX 7300
found in ROCm 6.2.1 libdrm-amdgpu-common
jsg [Mon, 23 Sep 2024 00:10:04 +0000 (00:10 +0000)]
add device tree mapping for HP OmniBook X 14
ok patrick@ kettenis@
tb [Sun, 22 Sep 2024 14:59:48 +0000 (14:59 +0000)]
Reinstate bounds check accidentally disabled when defining OPENSSL_NO_DTLS1
From Kenjiro Nakayama
Closes https://github.com/libressl/portable/issues/1097
jsg [Sun, 22 Sep 2024 12:56:21 +0000 (12:56 +0000)]
remove some unused defines; ok djm@
schwarze [Sun, 22 Sep 2024 10:32:28 +0000 (10:32 +0000)]
For compatibility with groff, the .In macro has been callable and parsed
since mandoc-1.7.24 = mdoc_macro.c rev. 1.11 (July 12, 2009).
Match the documentation to the implementation.
Patch from Evan Silberman <evan at jklol dot net>.
schwarze [Sun, 22 Sep 2024 10:13:03 +0000 (10:13 +0000)]
Talk less about "Single UNIX" because it has a confusing numbering
scheme. Instead, stick to the XPG/POSIX numbering scheme that has
clearly won: earlier this year, POSIX Issue 8 has been released,
and nobody calls it "Single UNIX version 5".
The XPG/POSIX numbering scheme is also preferable because it can
be used for the entire history leading up to the current POSIX
standard (1988-2024), whereas the Single UNIX numbering scheme
only works for the period from XPG4.2 to POSIX Issue 7 (1994-2008).
This patch mostly changes (informational) paragraph headers
and corrects two instances of the incorrect term "XPG version"
to the correct term "XPG Issue". The (normative) .St argument
definitions remain unchanged, and all supported .St arguments
remain documented, including the deprecated arguments -susv1 to -susv4.
No objections when shown on tech@ a few months ago.
claudio [Sun, 22 Sep 2024 08:40:37 +0000 (08:40 +0000)]
Increase the default buffer size for AF_UNIX from 8192 to 32768.
Using 8k for socketpairs was always on the low end side. Also this
avoid a fatal error in sshd that can be triggered when the network
stack is pushed hard enough to consume most of the allowed memory.
By increasing the default buffer size a bit the error in sshd is
avoided which is good enough for now.
Long term a better solution for sonewconn() and especially sbchecklowmem()
needs to be found. m_pool_used() returns not the right information for
them.
OK deraadt@ otto@
jsg [Sun, 22 Sep 2024 04:19:22 +0000 (04:19 +0000)]
remove BACK_CHANNEL define, unused since YP bits removed in rev 1.20
deraadt [Sat, 21 Sep 2024 19:06:06 +0000 (19:06 +0000)]
We aren't ready to choose S0-over-S3 based upon the S0ix bit in FADT.
Some machines which work great in S3, don't work great in S0.
Some people want to be able to force S0, mostly for testing purposes
(or to notice improvements as changes are made in the tree). Provide
a TEMPORARY method via machdep.lidaction=-1 which will be S0-suspend
while =1 remains S3 suspend. This button will not remain long-term,
but for now, and during 7.6, it will be better than nothing.
ok ratchov kettenis
schwarze [Sat, 21 Sep 2024 11:56:36 +0000 (11:56 +0000)]
Check that .In is callable and parsed.
Triggered by a documentation patch from Evan Silberman <evan at jklol dot net>.
I'm not testing yet whether the same applies in the SYNOPSIS section
because there are multiple parsing and formatting differences with groff
in that section.
aisha [Sat, 21 Sep 2024 05:37:26 +0000 (05:37 +0000)]
add route-to example
ok benno@
mlarkin [Sat, 21 Sep 2024 04:36:28 +0000 (04:36 +0000)]
vmm(4): remove EPT mprotect ioctl
This old ioctl isn't used by vmd(8) and is getting in the way of some
improvements we want to do. It was used by solo5 but the person who was
helping maintain this is no longer involved with that project.
ok dv
mlarkin [Sat, 21 Sep 2024 04:12:18 +0000 (04:12 +0000)]
vmm.h is a needed include now
kettenis [Fri, 20 Sep 2024 19:12:50 +0000 (19:12 +0000)]
Add device tree mapping for Lenovo ThinkPad T14s.
ok tobhe@, mlarkin@
tb [Fri, 20 Sep 2024 12:52:37 +0000 (12:52 +0000)]
Avoid use after free when retrying the -o file
This is horrible code and at least file leaks in various paths, but that's
for someone else to fix.
found by & ok jsg
tb [Fri, 20 Sep 2024 11:41:15 +0000 (11:41 +0000)]
gdb: fix path to ex
from Nir Lichtman
ok pascal sthen
(they okayed the ports version which I take to be an agreement with this).
jsg [Fri, 20 Sep 2024 02:20:44 +0000 (02:20 +0000)]
correct format string in debug printf
jsg [Fri, 20 Sep 2024 02:15:53 +0000 (02:15 +0000)]
remove unneeded semicolon
jsg [Fri, 20 Sep 2024 02:00:46 +0000 (02:00 +0000)]
remove unneeded semicolons; checked by millert@
dlg [Fri, 20 Sep 2024 01:15:53 +0000 (01:15 +0000)]
fix up the ip address config in the example config.
you're supposed to configure the IP addresses inside the tunnel,
sec doesn't support configuration of the tunnel endpoint addresses
because that's handled by SAs via ike config.
hit by Luca Di Gregorio on misc@
djm [Thu, 19 Sep 2024 22:17:44 +0000 (22:17 +0000)]
openssh-9.9
tb [Thu, 19 Sep 2024 20:48:36 +0000 (20:48 +0000)]
Shift 1U rather than 1 to avoid -Wsign-compare whining
claudio agress
job [Thu, 19 Sep 2024 13:45:07 +0000 (13:45 +0000)]
Move rpki-client to 9.3
requested by tb@
jsg [Thu, 19 Sep 2024 09:44:36 +0000 (09:44 +0000)]
fixup! drm/apple: Add support for the macOS 13.2 DCP firmware
From Janne Grunau in asahi bits/200-dcp
puts logging of power state changes under DRMDEBUG
ok kettenis@
claudio [Thu, 19 Sep 2024 08:55:22 +0000 (08:55 +0000)]
Remove spaces before EOL.
sf [Thu, 19 Sep 2024 06:23:38 +0000 (06:23 +0000)]
vio: allow longer tx chains
When TCP segmentation offload is supported, we may get larger packets
with more dma segments. Allocate more segments in the busdma_map in this
case, so that we need to defragment less often.
ok jan@
sf [Thu, 19 Sep 2024 06:19:05 +0000 (06:19 +0000)]
virtio_pci: Fix off-by-one in interrupt setup
This was introduced by "virtio: Move interrupt setup into separate
function".
ok jan@
denis [Thu, 19 Sep 2024 06:12:46 +0000 (06:12 +0000)]
document how to add a restricted socket
OK claudio@
jsg [Thu, 19 Sep 2024 05:08:10 +0000 (05:08 +0000)]
don't warn when returning early in hdcp functions
jsg [Thu, 19 Sep 2024 04:26:25 +0000 (04:26 +0000)]
drm/i915/guc: prevent a possible int overflow in wq offsets
From Nikita Zhandarovich
86238603c8f4df09b2a926617511310fd550737c in linux-6.6.y/6.6.52
d3d37f74683e2f16f2635ee265884f7ca69350ae in mainline linux
jsg [Thu, 19 Sep 2024 04:24:20 +0000 (04:24 +0000)]
drm/amd/amdgpu: apply command submission parser for JPEG v1
From David (Ming Qiang) Wu
ff65ae25d3cbcd8737e5971230031f0826a33250 in linux-6.6.y/6.6.52
8409fb50ce48d66cf9dc5391f03f05c56c430605 in mainline linux
jsg [Thu, 19 Sep 2024 04:21:53 +0000 (04:21 +0000)]
drm/amdgpu/atomfirmware: Silence UBSAN warning
From Alex Deucher
54268468399e5d1b23e76e43d06ff49ccad5fd4d in linux-6.6.y/6.6.52
17ea4383649fdeaff3181ddcf1ff03350d42e591 in mainline linux
jsg [Thu, 19 Sep 2024 04:19:44 +0000 (04:19 +0000)]
drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl
From T.J. Mercier
8e1ffb257982974352e9153eddcbaf01f949f700 in linux-6.6.y/6.6.52
8c7c44be57672e1474bf15a451011c291e85fda4 in mainline linux
jsg [Thu, 19 Sep 2024 04:17:11 +0000 (04:17 +0000)]
drm/amd/display: Fix FEC_READY write on DP LT
From Ilya Bakoulin
7853c146f8b45107bea25dcc1870c4dc3a042540 in linux-6.6.y/6.6.52
a8baec4623aedf36d50767627f6eae5ebf07c6fb in mainline linux
jsg [Thu, 19 Sep 2024 04:15:37 +0000 (04:15 +0000)]
drm/amd/display: Disable error correction if it's not supported
From Cruise
27bbf0b1cac9866666878421d57c15a78867f7cd in linux-6.6.y/6.6.52
a8ac994cf0693a1ce59410995594e56124a1c79f in mainline linux
jsg [Thu, 19 Sep 2024 04:13:21 +0000 (04:13 +0000)]
drm: panel-orientation-quirks: Add quirk for Ayn Loki Max
From Bouke Sybren Haarsma
31b9fc3d0c1078a7ca5982de45a3f29ac2e7d711 in linux-6.6.y/6.6.52
2c71c8459c8ca66bd8f597effaac892ee8448a9f in mainline linux
jsg [Thu, 19 Sep 2024 04:11:20 +0000 (04:11 +0000)]
drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero
From Bouke Sybren Haarsma
7d42d19973cbe1fa30b6f2aad7d06189ec0ef2e8 in linux-6.6.y/6.6.52
b86aa4140f6a8f01f35bfb05af60e01a55b48803 in mainline linux
jsg [Thu, 19 Sep 2024 01:05:48 +0000 (01:05 +0000)]
correct indentation
tb [Wed, 18 Sep 2024 19:12:37 +0000 (19:12 +0000)]
Enable large number of extension tests and stop skippking QUIC transport
parameter extension which we now know about
millert [Wed, 18 Sep 2024 17:05:50 +0000 (17:05 +0000)]
zic: cherrypick support for %z in time zone formats
This extends the zic input format to add support for %z, which
expands to a UTC offset in as-short-as-possible ISO 8601 format.
It's intended to better support zones that do not have an established
abbreviation already. tzdata2024b and higher require a version of
zic that supports the %z format. From upstream tzcode. OK beck@
jsg [Wed, 18 Sep 2024 14:29:10 +0000 (14:29 +0000)]
move common lines to mi
deraadt [Wed, 18 Sep 2024 11:29:55 +0000 (11:29 +0000)]
back to previous plan
job [Wed, 18 Sep 2024 10:22:36 +0000 (10:22 +0000)]
Fix a memory leak
Found by Martin Cracauer
"look right" tb@
jsg [Wed, 18 Sep 2024 05:21:19 +0000 (05:21 +0000)]
remove unneeded semicolons after switch statements
deraadt [Wed, 18 Sep 2024 02:43:54 +0000 (02:43 +0000)]
adjust date
jmatthew [Wed, 18 Sep 2024 00:03:19 +0000 (00:03 +0000)]
Remove the MSI blacklist. Now that we use MSI-X interrupts for nvme(4),
the one device we ever found that needed this treatment, the obsolete Intel
Optane Memory series, doesn't need it any more.
ok kettenis@ dlg@
jsg [Tue, 17 Sep 2024 13:45:49 +0000 (13:45 +0000)]
disable POOL_DEBUG for release
ok deraadt@
deraadt [Tue, 17 Sep 2024 13:39:17 +0000 (13:39 +0000)]
head into release
deraadt [Tue, 17 Sep 2024 12:53:15 +0000 (12:53 +0000)]
getdents(2) was pushed into rpath because it exposes pathname
information, similar to getcwd(2). Move it to the right place, and
also say why.
report from henryfordkjv@gmail.com
jsg [Tue, 17 Sep 2024 10:19:54 +0000 (10:19 +0000)]
update install.md path
jsg [Tue, 17 Sep 2024 10:13:50 +0000 (10:13 +0000)]
update list file paths
sf [Tue, 17 Sep 2024 09:00:14 +0000 (09:00 +0000)]
vio: Reduce code duplication in control queue handling
Pull the common parts of all the control queue operations into separate
functions.
While there, avoid setting sc_ctrl_inuse FREE if it was RESET, except in
vio_stop. Doing so could lead to more race conditions.
ok bluhm@
tb [Tue, 17 Sep 2024 08:47:37 +0000 (08:47 +0000)]
tlsfuzzer: add a start-server convenience target for interactive testing
tb [Tue, 17 Sep 2024 06:12:06 +0000 (06:12 +0000)]
Replace OpenSSL 3.1 (which no longer is in ports) with 3.3
jsg [Tue, 17 Sep 2024 04:12:57 +0000 (04:12 +0000)]
spelling
bluhm [Mon, 16 Sep 2024 22:30:01 +0000 (22:30 +0000)]
Mention psp(4) in vm.conf(5) man page.
from hshoexer@; OK mlarkin@
bluhm [Mon, 16 Sep 2024 22:15:43 +0000 (22:15 +0000)]
Document ioctl(2) interface provided by psp(4) device.
from hshoexer@; OK mlarkin@
nicm [Mon, 16 Sep 2024 20:46:58 +0000 (20:46 +0000)]
Add copy mode commands which were missed when descriptions were added,
from Julian Prein, GitHub issue 4121.
nicm [Mon, 16 Sep 2024 20:38:48 +0000 (20:38 +0000)]
Change the behaviour of extended-keys always slightly so that
applications can still enter mode 2 if they want, they just cannot turn
extended keys off entirely. From Stanislav Kljuhhin.
nicm [Mon, 16 Sep 2024 20:28:22 +0000 (20:28 +0000)]
Add a prefix timeout option, from Conor Taylor in GitHub issue 4108.
florian [Mon, 16 Sep 2024 07:34:49 +0000 (07:34 +0000)]
Close correct file descriptor.
Instead of closing the just received UDP socket we closed the imsg fd
thus cleanly shutting down dhcpleased(8).
Problem triggered by sf@ with something like
while :; do ifconfig vio0 -inet; done
while :; do ifconfig vio0 inet autoconf; done
The problem triggers when dhcpleased configured a lease and in just
the right moment the autoconf flag gets removed. The main process
opens a udp socket and sends it to the frontend. At the same time the
frontend learned (from the route socket), that the interface lost its
autoconf flag. When the frontend then receives the udp socket via fd
passing it tries to close it. Due to a typo it would instead close the
imsg file descriptor.
Found by me after lots of head scratching.
OK tb
djm [Mon, 16 Sep 2024 05:37:05 +0000 (05:37 +0000)]
use 64 bit math to avoid signed underflow. upstream code relies on
using -fwrapv to provide defined over/underflow behaviour, but we use
-ftrapv to catch integer errors and abort the program. ok dtucker@
deraadt [Sun, 15 Sep 2024 23:13:19 +0000 (23:13 +0000)]
Invalid pintables in ELF binaries can crash the kernel.
Fix from yufeng.gao@uq.edu.au
kn [Sun, 15 Sep 2024 19:39:26 +0000 (19:39 +0000)]
Document when vmd(8) VMs are stopped; OK mlarkin
Useful to know in setups where pkg daemons and VMs depend on each other.
yasuoka [Sun, 15 Sep 2024 11:08:50 +0000 (11:08 +0000)]
Add handling of "Class" attribute. diff from markus
ok markus
jmc [Sun, 15 Sep 2024 08:27:38 +0000 (08:27 +0000)]
minor grammar/sort fixes for refuseconnection; ok djm
jsg [Sun, 15 Sep 2024 07:14:58 +0000 (07:14 +0000)]
remove unused variables
jsg [Sun, 15 Sep 2024 05:49:05 +0000 (05:49 +0000)]
__STDC_VERSION__ not __STDC_VERSION; ok miod@
yasuoka [Sun, 15 Sep 2024 05:31:23 +0000 (05:31 +0000)]
Improve the log messages and white spaces.
yasuoka [Sun, 15 Sep 2024 05:29:11 +0000 (05:29 +0000)]
Keep the number of requests for a DAE server below 64 to avoid
congestion.
yasuoka [Sun, 15 Sep 2024 05:26:05 +0000 (05:26 +0000)]
Add "delete" command to "radiusctl ipcp". Also, send "stop" that was
missing when disconnecting all when acct-{on,off} received.
yasuoka [Sun, 15 Sep 2024 05:14:32 +0000 (05:14 +0000)]
Handle EAGAIN properly and fix the log when disconnected.
djm [Sun, 15 Sep 2024 03:09:44 +0000 (03:09 +0000)]
bad whitespace in config dump output
djm [Sun, 15 Sep 2024 02:20:51 +0000 (02:20 +0000)]
update the Streamlined NTRU Prime code from the "ref" implementation
in SUPERCOP
20201130 to the "compact" implementation in SUPERCOP
20240808. The new version is substantially faster.
Thanks to Daniel J Bernstein for pointing out the new implementation
(and of course for writing it).
tested in snaps/ok deraadt@
djm [Sun, 15 Sep 2024 01:19:56 +0000 (01:19 +0000)]
document Match invalid-user
djm [Sun, 15 Sep 2024 01:18:26 +0000 (01:18 +0000)]
add a "Match invalid-user" predicate to sshd_config Match options.
This allows writing Match conditions that trigger for invalid username.
E.g.
PerSourcePenalties refuseconnection:90s
Match invalid-user
RefuseConnection yes
Will effectively penalise bots try to guess passwords for bogus accounts,
at the cost of implicitly revealing which accounts are invalid.
feedback markus@
djm [Sun, 15 Sep 2024 01:11:26 +0000 (01:11 +0000)]
Add a "refuseconnection" penalty class to sshd_config
PerSourcePenalties
This allows penalising connection sources that have had connections
dropped by the RefuseConnection option. ok markus@
djm [Sun, 15 Sep 2024 01:09:40 +0000 (01:09 +0000)]
Add a sshd_config "RefuseConnection" option
If set, this will terminate the connection at the first authentication
request (this is the earliest we can evaluate sshd_config Match blocks)
ok markus@
djm [Sun, 15 Sep 2024 00:58:01 +0000 (00:58 +0000)]
switch sshd_config Match processing to the argv tokeniser too;
ok markus@
djm [Sun, 15 Sep 2024 00:57:36 +0000 (00:57 +0000)]
switch "Match" directive processing over to the argv string
tokeniser, making it possible to use shell-like quoting in Match
directives, particularly "Match exec". ok markus@
djm [Sun, 15 Sep 2024 00:47:01 +0000 (00:47 +0000)]
include pathname in some of the ssh-keygen passphrase prompts. Helps
the user know what's going on when ssh-keygen is invoked via other
tools. Requested in GHPR503
djm [Sun, 15 Sep 2024 00:41:18 +0000 (00:41 +0000)]
Do not apply authorized_keys options when signature verification
fails. Prevents restrictive key options being incorrectly applied
to subsequent keys in authorized_keys. bz3733, ok markus@