fix: memory leak
fix: add defaults after parsing
fix: set defaults in ssh_bind_listen
tests: add test for checking default hostkey paths
remove: null check for hostkey paths, can't happen since we set defaults now
examples: ssh_server remove "no default keys", default hostkeys set in ssh_bind_listen
Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
When opening a PTY on the server, try to use the current TTY's settings
(i.e. based on STDIN). If that fails or STDIN isn't a TTY, use default
modes that avoid any character translation.
Don't rely on stdin to be a TTY (breaks CI). Instead, open a PTY and
temporarily use that as "fake" stdin.
Signed-off-by: Daniel Evers (daniel.evers@utimaco.com)
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Added the new function `ssh_channel_request_pty_size_modes` which allows
to pass additional encoded SSH terminal modes (see opcodes in RFC 4245).
Signed-off-by: Daniel Evers (daniel.evers@utimaco.com)
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Imported targets are highly preferred over the individual variables
for includes and libs because they will be used in a coherent way
and any spelling mistakes or unavailability won't go unnoticed.
Also it will prevent bugs like conan-io/conan-center-index#16900
or using mismatching header/libs combinations.
Signed-off-by: Gregor Jasny <gjasny@googlemail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Malicious code can be injected using the username with metacharacters,
therefore the username must be validated before using it with any %u.
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
In the sftp_init() call, the limits are stored in the sftp_sesssion.
If the limits@openssh.com extension is supported the limits are retrieved
from the server, else libssh uses the default limits.
The sftp library functions that require the limits can access them using
the sftp session.
The library user can call sftp_limits() to get a copy of the limits
stored in the sftp session. Since the limits were already retrieved
from the server during sftp_init(), this sftp_limits() call requires
no communication with the server.
Signed-off-by: Eshan Kelkar <eshankelkar@galorithm.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
This incorrectly stated that it would return an integer value instead of a
string.
Signed-off-by: James Wrigley <james@puiterwijk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
The current documentation incorrectly states that it will return 0 on EOF, but
the function calls ssh_channel_poll() internally, which will return SSH_EOF,
which will then be returned by ssh_channel_read_nonblocking().
Signed-off-by: James Wrigley <james@puiterwijk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Norbert Pocs <norbertpocs0@gmail.com>
... and make coerity happy avoiding dead code
CID 1531320
CID 1531321
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Norbert Pocs <norbertpocs0@gmail.com>
This prevents code injection.
The domain name syntax checker is based on RFC1035.
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
The hostname can be a domain name or an ip address. The colon has to be
allowed because of IPv6 even it is prohibited in domain names.
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Using ssh_config_parse_uri can simplify the parsing of the host
parsing inside the function of ssh_options_set
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
This also adds an fallback to OpenSSH file format in non-OpenSSL backends and
OpenSSH-compatible private key export for writing OpenSSH private keys.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
The OpenSSL claims that these parameters are not mandatory and just speed up
calculations. But in reality, if they are missing, we can not export this key
into PEM files or if we export them, they are not readable/valid.
This was discussed in the following OpenSSL issue even with some proposed fix,
but it will take time before this will be implemented so in the meantime, we
back down to calculating the parameters manually as done in OpenSSH.
https://github.com/openssl/openssl/issues/21826
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This involves reading the certificates from configuration files through options
and handling them similarly as the OpenSSH does when doing the auto pubkey
authentication, also in combination with agent or identities only.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
