8f6c337563
- jmc@cvs.openbsd.org 2010/03/04 22:52:40
...
[ssh-keygen.1]
fix Bk/Ek;
2010-03-05 10:41:26 +11:00
179eee081a
- (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older
...
compilers. OK djm@
2010-03-04 12:48:05 -08:00
f2b70cad75
- djm@cvs.openbsd.org 2010/03/04 20:35:08
...
[ssh-keygen.1 ssh-keygen.c]
Add a -L flag to print the contents of a certificate; ok markus@
2010-03-05 07:39:35 +11:00
72b33820af
- jmc@cvs.openbsd.org 2010/03/04 12:51:25
...
[ssh.1 sshd_config.5]
tweak previous;
2010-03-05 07:39:01 +11:00
700dcfa3e0
- djm@cvs.openbsd.org 2010/03/04 10:38:23
...
[regress/cert-hostkey.sh regress/cert-userkey.sh]
additional regression tests for revoked keys and TrustedUserCAKeys
2010-03-04 21:58:01 +11:00
017d1e777e
- djm@cvs.openbsd.org 2010/03/03 00:47:23
...
[regress/cert-hostkey.sh regress/cert-userkey.sh]
add an extra test to ensure that authentication with the wrong
certificate fails as it should (and it does)
2010-03-04 21:57:21 +11:00
1aed65eb27
- djm@cvs.openbsd.org 2010/03/04 10:36:03
...
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
[authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
[ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
are trusted to authenticate users (in addition than doing it per-user
in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to
known_hosts to allow keys to me revoked and banned for user or host
authentication.
feedback and ok markus@
2010-03-04 21:53:35 +11:00
2befbad9b3
- djm@cvs.openbsd.org 2010/03/04 01:44:57
...
[key.c]
use buffer_get_string_ptr_ret() where we are checking the return
value explicitly instead of the fatal()-causing buffer_get_string_ptr()
2010-03-04 21:52:18 +11:00
fe588e3c84
- djm@cvs.openbsd.org 2010/03/03 22:50:40
...
[PROTOCOL.certkeys]
s/similar same/similar/; from imorgan AT nas.nasa.gov
2010-03-04 21:52:00 +11:00
cd38c9c555
- djm@cvs.openbsd.org 2010/03/03 22:49:50
...
[sshd.8]
the authorized_keys option for CA keys is "cert-authority", not
"from=cert-authority". spotted by imorgan AT nas.nasa.gov
2010-03-04 21:51:37 +11:00
41396573af
- OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2010/03/03 01:44:36
[auth-options.c key.c]
reject strings with embedded ASCII nul chars in certificate key IDs,
principal names and constraints
2010-03-04 21:51:11 +11:00
e1abf4d6bc
- (djm) [regress/Makefile] Cleanup sshd_proxy_orig
2010-03-04 21:41:29 +11:00
d45f3b6cc7
- (djm) [.cvsignore] Ignore ssh-pkcs11-helper
2010-03-04 21:09:46 +11:00
661ffc1fd6
- (djm) [contrib/redhat/openssh.spec] Replace obsolete BuildPreReq
...
on XFree86-devel with neutral /usr/include/X11/Xlib.h;
imorgan AT nas.nasa.gov in bz#1731
2010-03-04 21:09:24 +11:00
910f209c1d
- (djm) [ssh-keygen.c] Use correct local variable, instead of
...
maybe-undefined global "optarg"
2010-03-04 14:17:22 +11:00
386dbc05e9
- (djm) [regress/cert-userkey.sh] s/echo -n/echon/ here too
2010-03-03 13:22:41 +11:00
2ca342b84b
- djm@cvs.openbsd.org 2010/03/02 23:20:57
...
[ssh-keygen.c]
POSIX strptime is stricter than OpenBSD's so do a little dance to
appease it.
2010-03-03 12:14:15 +11:00
fb84e5950e
- djm@cvs.openbsd.org 2010/03/02 23:20:57
...
[ssh-keygen.c]
POSIX strptime is stricter than OpenBSD's so do a little dance to
appease it.
2010-03-03 10:26:04 +11:00
0bd41861bb
- otto@cvs.openbsd.org 2010/03/01 11:07:06
...
[ssh-add.c]
zap what seems to be a left-over debug message; ok markus@
2010-03-03 10:25:41 +11:00
15f5b560b1
- jmc@cvs.openbsd.org 2010/02/26 22:09:28
...
[ssh-keygen.1 ssh.1 sshd.8]
tweak previous;
2010-03-03 10:25:21 +11:00
25b97dd454
- (djm) [PROTOCOL.certkeys] Add RCS Ident
2010-03-03 10:24:00 +11:00
c5b0cb3b7d
- (tim) [config.guess config.sub] Bug 1722: Update to latest versions from
...
http://git.savannah.gnu.org/gitweb/ (2009-12-30 and 2010-01-22
respectively).
2010-03-01 15:57:42 -08:00
9af0cb9acc
- (dtucker) [openbsd-compat/port-linux.c] Make failure to write to the OOM
...
adjust log at verbose only, since according to cjwatson in bug #1470
some virtualization platforms don't allow writes.
2010-03-01 15:52:49 +11:00
c614c78c53
- (dtucker) [regress/{cert-hostkey,cfgmatch,cipher-speed}.sh} Replace
...
"echo -n" with "echon" for portability.
2010-03-01 12:49:05 +11:00
bff24b8ad2
- (tim) [ssh-pkcs11-helper.c] Move declarations before calling functions
...
to make older compilers (gcc 2.95) happy.
2010-02-28 14:51:56 -08:00
acc9b29486
- (djm) [auth.c] On Cygwin, refuse usernames that have differences in
...
case from that matched in the system password database. On this
platform, passwords are stored case-insensitively, but sshd requires
exact case matching for Match blocks in sshd_config(5). Based on
a patch from vinschen AT redhat.com.
2010-03-01 04:36:54 +11:00
d05951fcee
- (djm) [openbsd-compat/bsd-cygwin_util.c] Reduce the set of environment
...
variables copied into sshd child processes. From vinschen AT redhat.com
2010-02-28 03:29:33 +11:00
09a24db2d7
- (djm) [ssh-pkcs11-helper.c ] Ensure RNG is initialised and seeded
2010-02-28 03:28:05 +11:00
58ac6de964
- djm@cvs.openbsd.org 2010/02/26 20:33:21
...
[Makefile regress/cert-hostkey.sh regress/cert-userkey.sh]
regression tests for certified keys
2010-02-27 07:57:12 +11:00
0a80ca190a
- OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2010/02/26 20:29:54
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
[auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
[hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
[myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
[ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
[sshconnect2.c sshd.8 sshd.c sshd_config.5]
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as sh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file
PROTOCOL.certkeys
feedback and ok markus@
2010-02-27 07:55:05 +11:00
d27d85d532
contrib/caldera/openssh.spec
...
contrib/redhat/openssh.spec
contrib/suse/openssh.spec
2010-02-24 18:21:45 +11:00
43001b3b3b
- (djm) [Makefile.in ssh-pkcs11-helper.8] Add manpage for PKCS#11 helper
2010-02-24 18:18:51 +11:00
8eff8e8f59
- dtucker@cvs.openbsd.org 2009/11/09 04:20:04
...
[regress/Makefile keygen-convert.sh]
add regression test for ssh-keygen pubkey conversions
2010-02-24 17:33:30 +11:00
cfa42d2fd2
- markus@cvs.openbsd.org 2010/02/08 10:52:47
...
[regress/agent-pkcs11.sh]
test for PKCS#11 support (currently disabled)
2010-02-24 17:31:20 +11:00
c1739211a6
- djm@cvs.openbsd.org 2010/02/24 06:21:56
...
[regress/test-exec.sh]
wait for sshd to fully stop in cleanup() function; avoids races in tests
that do multiple start_sshd/cleanup cycles; "I hate pidfiles" deraadt@
2010-02-24 17:29:34 +11:00
8f9492c90d
- djm@cvs.openbsd.org 2010/02/09 06:29:02
...
[regress/Makefile]
turn on all the malloc(3) checking options when running regression
tests. this has caught a few bugs for me in the past; ok dtucker@
2010-02-24 17:28:45 +11:00
bb4ae5583b
- djm@cvs.openbsd.org 2010/02/09 04:57:36
...
[regress/addrmatch.sh]
clean up droppings
2010-02-24 17:26:38 +11:00
0dff9c7e6d
- dtucker@cvs.openbsd.org 2010/01/11 02:53:44
...
[regress/forwarding.sh]
regress test for stdio forwarding
2010-02-24 17:25:58 +11:00
b6bd3c2ca8
- dtucker@cvs.openbsd.org 2009/11/09 04:20:04
...
[regress/Makefile]
add regression test for ssh-keygen pubkey conversions
2010-02-24 17:24:56 +11:00
a80f1404bb
- djm@cvs.openbsd.org 2010/02/11 20:37:47
...
[pathnames.h]
correct comment
2010-02-24 17:17:58 +11:00
05abd2c968
- (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
...
[ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable
2010-02-24 17:16:08 +11:00
b3c9f78711
- (djm) [configure.ac] Enable PKCS#11 support only when we find a working
...
dlopen()
2010-02-12 10:11:34 +11:00
dfa4156dbd
- (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
...
Use ssh_get_progname to fill __progname
2010-02-12 10:06:28 +11:00
8ad0fbd98e
- (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
...
Make it compile on OSX
2010-02-12 09:49:06 +11:00
d8f6002272
- (djm) [INSTALL Makefile.in README.smartcard configure.ac scard-opensc.c]
...
[scard.c scard.h pkcs11.h scard/Makefile.in scard/Ssh.bin.uu scard/Ssh.java]
Remove obsolete smartcard support
2010-02-12 09:34:22 +11:00
d400da5ba8
- jmc@cvs.openbsd.org 2010/02/11 13:23:29
...
[ssh.1]
libarary -> library;
2010-02-12 09:26:23 +11:00
a761844455
- markus@cvs.openbsd.org 2010/02/10 23:20:38
...
[ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5]
pkcs#11 is no longer optional; improve wording; ok jmc@
2010-02-12 09:26:02 +11:00
47cf16b8df
- djm@cvs.openbsd.org 2010/02/09 06:18:46
...
[auth.c]
unbreak ChrootDirectory+internal-sftp by skipping check for executable
shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
2010-02-12 09:25:29 +11:00
8922106fe9
- djm@cvs.openbsd.org 2010/02/09 03:56:28
...
[buffer.c buffer.h]
constify the arguments to buffer_len, buffer_ptr and buffer_dump
2010-02-12 09:23:40 +11:00
86cbb44d47
- djm@cvs.openbsd.org 2010/02/09 00:50:59
...
[ssh-keygen.c]
fix -Wall
2010-02-12 09:22:57 +11:00
Damien Miller
Tim Rice
Darren Tucker