Commit Graph

496 Commits

Author SHA1 Message Date
markus@openbsd.org 49f47e656b upstream: replace cast with call to sshbuf_mutable_ptr(); ok djm@
OpenBSD-Commit-ID: 4dfe9d29fa93d9231645c89084f7217304f7ba29
2018-07-10 16:44:17 +10:00
markus@openbsd.org 7f90635216 upstream: switch config file parsing to getline(3) as this avoids
static limits noted by gerhard@; ok dtucker@, djm@

OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c
2018-06-07 04:34:05 +10:00
djm@openbsd.org 01b048c8eb upstream: whitespace
OpenBSD-Commit-ID: e5edb5e843ddc9b73a8e46518899be41d5709add
2018-06-01 14:22:29 +10:00
djm@openbsd.org 3e088aaf23 upstream: return correct exit code when searching for and hashing
known_hosts entries in a single operation (ssh-keygen -HF hostname); bz2772
Report and fix from Anton Kremenetsky

OpenBSD-Commit-ID: ac10ca13eb9bb0bc50fcd42ad11c56c317437b58
2018-06-01 14:20:12 +10:00
djm@openbsd.org bf0fbf2b11 upstream: add valid-before="[time]" authorized_keys option. A
simple way of giving a key an expiry date. ok markus@

OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
2018-03-14 18:55:32 +11:00
markus@openbsd.org 1b11ea7c58 upstream: Add experimental support for PQC XMSS keys (Extended
Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS
in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See
https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok
djm@

OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
2018-02-26 11:40:41 +11:00
djm@openbsd.org ca613249a0 upstream commit
Refuse to create a certificate with an unusable number of
principals; Prompted by gdestuynder via github

OpenBSD-Commit-ID: 8cfae2451e8f07810e3e2546dfdcce66984cbd29
2018-02-10 16:49:44 +11:00
djm@openbsd.org b56ac069d4 upstream commit
fatal if we're unable to write all the public key; previously
we would silently ignore errors writing the comment and terminating newline.
Prompted by github PR from WillerZ; ok dtucker

OpenBSD-Commit-ID: 18fbfcfd4e8c6adbc84820039b64d70906e49831
2018-02-10 16:45:34 +11:00
jsing@openbsd.org 94ec2b69d4 upstream commit
Remove some #ifdef notyet code from OpenSSL 0.9.8 days.

These functions have never appeared in OpenSSL and are likely never to do
so.

"kill it with fire" djm@

OpenBSD-Commit-ID: fee9560e283fd836efc2631ef381658cc673d23e
2018-02-08 09:26:27 +11:00
djm@openbsd.org 04c7e28f83 upstream commit
pass negotiated signing algorithm though to
sshkey_verify() and check that the negotiated algorithm matches the type in
the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@

OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9
2017-12-19 15:21:37 +11:00
djm@openbsd.org@openbsd.org d52131a983 upstream commit
allow certificate validity intervals that specify only a
start or stop time (we already support specifying both or neither)

OpenBSD-Commit-ID: 9be486545603c003030bdb5c467d1318b46b4e42
2017-11-03 16:20:41 +11:00
djm@openbsd.org 853edbe057 upstream commit
When generating all hostkeys (ssh-keygen -A), clobber
existing keys if they exist but are zero length. zero-length keys could
previously be made if ssh-keygen failed part way through generating them, so
avoid that case too. bz#2561 reported by Krzysztof Cieplucha; ok dtucker@

Upstream-ID: f662201c28ab8e1f086b5d43c59cddab5ade4044
2017-07-21 14:17:32 +10:00
djm@openbsd.org 83fa3a0448 upstream commit
remove post-SSHv1 removal dead code from rsa.c and merge
the remaining bit that it still used into ssh-rsa.c; ok markus

Upstream-ID: ac8a048d24dcd89594b0052ea5e3404b473bfa2f
2017-07-21 14:17:32 +10:00
djm@openbsd.org a98339edbc upstream commit
Allow ssh-keygen to use a key held in ssh-agent as a CA when
signing certificates. bz#2377 ok markus

Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
2017-06-28 11:13:19 +10:00
markus@openbsd.org 7da5df11ac upstream commit
remove unused wrapper functions from key.[ch]; ok djm@

Upstream-ID: ea0f4016666a6817fc11f439dd4be06bab69707e
2017-05-31 10:49:50 +10:00
djm@openbsd.org bd636f4091 upstream commit
Refuse RSA keys <1024 bits in length. Improve reporting
for keys that do not meet this requirement. ok markus@

Upstream-ID: b385e2a7b13b1484792ee681daaf79e1e203df6c
2017-05-08 09:21:22 +10:00
djm@openbsd.org 873d3e7d9a upstream commit
remove KEY_RSA1

ok markus@

Upstream-ID: 7408517b077c892a86b581e19f82a163069bf133
2017-05-01 10:05:01 +10:00
djm@openbsd.org 56912dea6e upstream commit
unifdef WITH_SSH1 ok markus@

Upstream-ID: 9716e62a883ef8826c57f4d33b4a81a9cc7755c7
2017-05-01 09:37:40 +10:00
djm@openbsd.org 249516e428 upstream commit
allow ssh-keygen to include arbitrary string or flag
certificate extensions and critical options. ok markus@ dtucker@

Upstream-ID: 2cf28dd6c5489eb9fc136e0b667ac3ea10241646
2017-05-01 09:35:38 +10:00
djm@openbsd.org db2597207e upstream commit
ensure hostname is lower-case before hashing it;
bz#2591 reported by Griff Miller II; ok dtucker@

Upstream-ID: c3b8b93804f376bd00d859b8bcd9fc0d86b4db17
2017-03-10 15:35:39 +11:00
dtucker@openbsd.org 18501151cf upstream commit
Check l->hosts before dereferencing; fixes potential null
pointer deref. ok djm@

Upstream-ID: 81c0327c6ec361da794b5c680601195cc23d1301
2017-03-06 13:44:46 +11:00
dtucker@openbsd.org d072370793 upstream commit
linenum is unsigned long so use %lu in log formats.  ok
deraadt@

Upstream-ID: 9dc582d9bb887ebe0164e030d619fc20b1a4ea08
2017-03-06 13:17:31 +11:00
djm@openbsd.org 12d3767ba4 upstream commit
fix ssh-keygen -H accidentally corrupting known_hosts that
contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by
hostkeys_foreach() when hostname matching is in use, so we need to look for
the hash marker explicitly.

Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528
2017-03-03 17:14:35 +11:00
dtucker@openbsd.org 3baa4cdd19 upstream commit
Do not show rsa1 key type in usage when compiled without
SSH1 support.

Upstream-ID: 068b5c41357a02f319957746fa4e84ea73960f57
2017-02-17 14:52:24 +11:00
djm@openbsd.org a287c5ad1e upstream commit
Sanitise escape sequences in key comments sent to printf
but preserve valid UTF-8 when the locale supports it; bz#2520 ok dtucker@

Upstream-ID: e8eed28712ba7b22d49be534237eed019875bd1e
2017-02-10 14:38:06 +11:00
millert@openbsd.org e40269be38 upstream commit
Avoid printf %s NULL.  From semarie@, OK djm@

Upstream-ID: 06beef7344da0208efa9275d504d60d2a5b9266c
2017-02-10 14:37:26 +11:00
Darren Tucker 7050896e73 Resync ssh-keygen -W error message with upstream. 2016-09-12 13:57:28 +10:00
Darren Tucker 43cceff82c Move ssh-keygen -W handling code to match upstream 2016-09-12 13:57:07 +10:00
Darren Tucker af48d54136 Move ssh-keygen -T handling code to match upstream. 2016-09-12 13:52:17 +10:00
Darren Tucker d8c3cfbb01 Move -M handling code to match upstream. 2016-09-12 13:51:04 +10:00
dtucker@openbsd.org 7b63cf6dbb upstream commit
Spaces->tabs.

Upstream-ID: f4829dfc3f36318273f6082b379ac562eead70b7
2016-09-12 13:49:24 +10:00
dtucker@openbsd.org 11e5e64453 upstream commit
Style whitespace fix.  Also happens to remove a no-op
diff with portable.

Upstream-ID: 45d90f9a62ad56340913a433a9453eb30ceb8bf3
2016-09-12 13:47:51 +10:00
Darren Tucker 0bb2980260 Restore ssh-keygen's -J and -j option handling.
These were incorrectly removed in the 1d9a2e28 sync commit.
2016-09-12 11:07:00 +10:00
djm@openbsd.org 57464e3934 upstream commit
support SHA256 and SHA512 RSA signatures in certificates;
 ok markus@

Upstream-ID: b45be2f2ce8cacd794dc5730edaabc90e5eb434a
2016-05-02 20:35:05 +10:00
djm@openbsd.org 1a31d02b24 upstream commit
fix signed/unsigned errors reported by clang-3.7; add
 sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with
 better safety checking; feedback and ok markus@

Upstream-ID: 71f926d9bb3f1efed51319a6daf37e93d57c8820
2016-05-02 20:35:04 +10:00
dtucker@openbsd.org ffb1e7e896 upstream commit
Add a function to enable security-related malloc_options.
  With and ok deraadt@, something similar has been in the snaps for a while.

Upstream-ID: 43a95523b832b7f3b943d2908662191110c380ed
2016-02-16 10:44:00 +11:00
djm@openbsd.org cce6a36bb9 upstream commit
use SSH_MAX_PUBKEY_BYTES consistently as buffer size when
 reading key files. Increase it to match the size of the buffers already being
 used.

Upstream-ID: 1b60586b484b55a947d99a0b32bd25e0ced56fae
2015-12-18 14:49:32 +11:00
mmcc@openbsd.org 89540b6de0 upstream commit
Remove NULL-checks before sshkey_free().

ok djm@

Upstream-ID: 3e35afe8a25e021216696b5d6cde7f5d2e5e3f52
2015-12-18 14:49:32 +11:00
markus@openbsd.org 76c9fbbe35 upstream commit
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
 (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
 draft-ssh-ext-info-04.txt; with & ok djm@

Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
2015-12-07 12:38:58 +11:00
deraadt@openbsd.org 6da413c085 upstream commit
do not leak temp file if there is no known_hosts file
 from craig leres, ok djm

Upstream-ID: c820497fd5574844c782e79405c55860f170e426
2015-11-30 09:45:53 +11:00
halex@openbsd.org 4d90625b22 upstream commit
allow comment change for all supported formats

ok djm@

Upstream-ID: 5fc477cf2f119b2d44aa9c683af16cb00bb3744b
2015-11-28 17:44:32 +11:00
djm@openbsd.org 964ab3ee7a upstream commit
trailing whitespace

Upstream-ID: 31fe0ad7c4d08e87f1d69c79372f5e3c5cd79051
2015-11-19 12:13:38 +11:00
djm@openbsd.org 499cf36fec upstream commit
move the certificate validity formatting code to
 sshkey.[ch]

Upstream-ID: f05f7c78fab20d02ff1d5ceeda533ef52e8fe523
2015-11-19 12:11:37 +11:00
djm@openbsd.org bcb7bc77bb upstream commit
fix "ssh-keygen -l" of private key, broken in support for
 multiple plain keys on stdin

Upstream-ID: 6b3132d2c62d03d0bad6f2bcd7e2d8b7dab5cd9d
2015-11-18 19:40:25 +11:00
djm@openbsd.org c56a255162 upstream commit
Allow fingerprinting from standard input "ssh-keygen -lf
 -"

Support fingerprinting multiple plain keys in a file and authorized_keys
files too (bz#1319)

ok markus@

Upstream-ID: 903f8b4502929d6ccf53509e4e07eae084574b77
2015-11-17 11:22:15 +11:00
djm@openbsd.org 94bc0b72c2 upstream commit
support multiple certificates (one per line) and
 reading from standard input (using "-f -") for "ssh-keygen -L"; ok dtucker@

Upstream-ID: ecbadeeef3926e5be6281689b7250a32a80e88db
2015-11-16 11:31:36 +11:00
djm@openbsd.org c837643b93 upstream commit
fixed unlink([uninitialised memory]) reported by Mateusz
 Kocielski; ok markus@

Upstream-ID: 14a0c4e7d891f5a8dabc4b89d4f6b7c0d5a20109
2015-08-20 13:07:40 +10:00
djm@openbsd.org 933935ce8d upstream commit
refuse to generate or accept RSA keys smaller than 1024
 bits; feedback and ok dtucker@

Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
2015-07-15 15:36:02 +10:00
djm@openbsd.org c28fc62d78 upstream commit
delete support for legacy v00 certificates; "sure"
 markus@ dtucker@

Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
2015-07-15 15:35:09 +10:00
djm@openbsd.org 1d9a2e2849 upstream commit
wrap all moduli-related code in #ifdef WITH_OPENSSL.
 based on patch from Reuben Hawkins; bz#2388 feedback and ok dtucker@

Upstream-ID: d80cfc8be3e6ec65b3fac9e87c4466533b31b7cf
2015-05-28 18:54:58 +10:00
djm@openbsd.org d1958793a0 upstream commit
make ssh-keygen default to ed25519 keys when compiled
 without OpenSSL; bz#2388, ok dtucker@

Upstream-ID: 85a471fa6d3fa57a7b8e882d22cfbfc1d84cdc71
2015-05-28 18:54:54 +10:00
djm@openbsd.org 4739e8d5e1 upstream commit
Support "ssh-keygen -lF hostname" to find search known_hosts
 and print key hashes. Already advertised by ssh-keygen(1), but not delivered
 by code; ok dtucker@

Upstream-ID: 459e0e2bf39825e41b0811c336db2d56a1c23387
2015-05-21 22:04:07 +10:00
djm@openbsd.org 734226b448 upstream commit
fix compilation with OPENSSL=no; ok dtucker@
2015-04-29 18:19:05 +10:00
deraadt@openbsd.org 657a5fbc0d upstream commit
rename xrealloc() to xreallocarray() since it follows
 that form. ok djm
2015-04-29 18:15:23 +10:00
djm@openbsd.org 3038a19187 upstream commit
use error/logit/fatal instead of fprintf(stderr, ...)
 and exit(0), fix a few errors that were being printed to stdout instead of
 stderr and a few non-errors that were going to stderr instead of stdout
 bz#2325; ok dtucker
2015-04-29 18:14:20 +10:00
tobias@openbsd.org 704d8c8898 upstream commit
Comments are only supported for RSA1 keys. If a user
 tried to add one and entered his passphrase, explicitly clear it before exit.
 This is done in all other error paths, too.

ok djm
2015-04-01 10:00:27 +11:00
djm@openbsd.org 5c27e3b6ec upstream commit
for ssh-keygen -A, don't try (and fail) to generate ssh
 v.1 keys when compiled without SSH1 support RSA/DSA/ECDSA keys when compiled
 without OpenSSL based on patch by Mike Frysinger; bz#2369
2015-03-23 17:10:14 +11:00
djm@openbsd.org f43d172691 upstream commit
don't printf NULL key comments; reported by Tom Christensen
2015-02-27 07:46:23 +11:00
naddy@openbsd.org 6288e3a935 upstream commit
add -v (show ASCII art) to -l's synopsis; ok djm@
2015-02-26 04:32:08 +11:00
djm@openbsd.org 2285c30d51 upstream commit
further silence spurious error message even when -v is
 specified (e.g. to get visual host keys); reported by naddy@
2015-02-24 09:21:48 +11:00
djm@openbsd.org e94e4b07ef upstream commit
silence a spurious error message when listing
 fingerprints for known_hosts; bz#2342
2015-02-24 03:59:09 +11:00
Damien Miller 773dda25e8 repair --without-openssl; broken in refactor 2015-02-18 22:29:32 +11:00
djm@openbsd.org 6c5c949782 upstream commit
Refactor hostkeys_foreach() and dependent code Deal with
 IP addresses (i.e. CheckHostIP) Don't clobber known_hosts when nothing
 changed ok markus@ as part of larger commit
2015-02-17 09:32:31 +11:00
djm@openbsd.org 669aee9943 upstream commit
permit KRLs that revoke certificates by serial number or
 key ID without scoping to a particular CA; ok markus@
2015-01-30 12:17:07 +11:00
djm@openbsd.org 7a2c368477 upstream commit
missing parentheses after if in do_convert_from() broke
 private key conversion from other formats some time in 2010; bz#2345 reported
 by jjelen AT redhat.com
2015-01-30 12:16:33 +11:00
djm@openbsd.org 9ce86c926d upstream commit
update to new API (key_fingerprint => sshkey_fingerprint)
 check sshkey_fingerprint return values; ok markus
2015-01-29 10:18:56 +11:00
deraadt@openbsd.org d2099dec6d upstream commit
djm, your /usr/include tree is old
2015-01-20 00:20:45 +11:00
djm@openbsd.org 2b3c3c76c3 upstream commit
some feedback from markus@: comment hostkeys_foreach()
 context and avoid a member in it.
2015-01-20 00:20:44 +11:00
djm@openbsd.org cecb30bc2b upstream commit
make ssh-keygen use hostkeys_foreach(). Removes some
 horrendous code; ok markus@
2015-01-20 00:20:44 +11:00
djm@openbsd.org 7efb455789 upstream commit
infer key length correctly when user specified a fully-
 qualified key name instead of using the -b bits option; ok markus@
2015-01-20 00:19:59 +11:00
djm@openbsd.org bb8b442d32 upstream commit
regression: incorrect error message on
 otherwise-successful ssh-keygen -A. Reported by Dmitry Orlov, via deraadt@
2015-01-20 00:18:44 +11:00
deraadt@openbsd.org 2ae4f337b2 upstream commit
Replace <sys/param.h> with <limits.h> and other less
 dirty headers where possible.  Annotate <sys/param.h> lines with their
 current reasons.  Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1,
 LOGIN_NAME_MAX, etc.  Change MIN() and MAX() to local definitions of
 MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution.
 These are the files confirmed through binary verification. ok guenther,
 millert, doug (helped with the verification protocol)
2015-01-16 18:24:48 +11:00
djm@openbsd.org 1129dcfc5a upstream commit
sync ssh-keysign, ssh-keygen and some dependencies to the
 new buffer/key API; mostly mechanical, ok markus@
2015-01-15 21:39:14 +11:00
Damien Miller b03ebe2c22 more --without-openssl
fix some regressions caused by upstream merges

enable KRLs now that they no longer require BIGNUMs
2015-01-15 03:08:58 +11:00
Damien Miller 72ef7c148c support --without-openssl at configure time
Disables and removes dependency on OpenSSL. Many features don't
work and the set of crypto options is greatly restricted. This
will only work on system with native arc4random or /dev/urandom.

Considered highly experimental for now.
2015-01-15 02:28:36 +11:00
djm@openbsd.org 56d1c83cdd upstream commit
Add FingerprintHash option to control algorithm used for
 key fingerprints. Default changes from MD5 to SHA256 and format from hex to
 base64.

Feedback and ok naddy@ markus@
2014-12-22 09:32:29 +11:00
doug@openbsd.org 7df8818409 upstream commit
Free resources on error in mkstemp and fdopen

ok djm@
2014-10-13 11:37:21 +11:00
Damien Miller 4a1d3d50f0 - djm@cvs.openbsd.org 2014/07/03 03:47:27
[ssh-keygen.c]
     When hashing or removing hosts using ssh-keygen, don't choke on
     @revoked markers and don't remove @cert-authority markers;
     bz#2241, reported by mlindgren AT runelind.net
2014-07-03 21:24:40 +10:00
Damien Miller e5c0d52ceb - djm@cvs.openbsd.org 2014/07/03 03:34:09
[gss-serv.c session.c ssh-keygen.c]
     standardise on NI_MAXHOST for gethostname() string lengths; about
     1/2 the cases were using it already. Fixes bz#2239 en passant
2014-07-03 21:24:19 +10:00
Damien Miller 8668706d0f - djm@cvs.openbsd.org 2014/06/24 01:13:21
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
     [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
     [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
     [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
     [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
     [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
     [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
     [sshconnect2.c sshd.c sshkey.c sshkey.h
     [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
     New key API: refactor key-related functions to be more library-like,
     existing API is offered as a set of wrappers.

     with and ok markus@

     Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
     Dempsky and Ron Bowes for a detailed review a few months ago.

     NB. This commit also removes portable OpenSSH support for OpenSSL
     <0.9.8e.
2014-07-02 15:28:02 +10:00
Damien Miller 1f0311c7c7 - markus@cvs.openbsd.org 2014/04/29 18:01:49
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
     [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
     [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
     [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
     make compiling against OpenSSL optional (make OPENSSL=no);
     reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
     allows us to explore further options; with and ok djm
2014-05-15 14:24:09 +10:00
Damien Miller 633de33b19 - djm@cvs.openbsd.org 2014/04/28 03:09:18
[authfile.c bufaux.c buffer.h channels.c krl.c mux.c packet.c packet.h]
     [ssh-keygen.c]
     buffer_get_string_ptr's return should be const to remind
     callers that futzing with it will futz with the actual buffer
     contents
2014-05-15 13:48:26 +10:00
Damien Miller 16cd3928a8 - logan@cvs.openbsd.org 2014/04/20 09:24:26
[dns.c dns.h ssh-keygen.c]
     Add support for SSHFP DNS records for ED25519 key types.
     OK from djm@
2014-05-15 13:45:58 +10:00
Damien Miller f0858de6e1 - deraadt@cvs.openbsd.org 2014/03/15 17:28:26
[ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     Improve usage() and documentation towards the standard form.
     In particular, this line saves a lot of man page reading time.
       usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
                         [-N new_passphrase] [-C comment] [-f output_keyfile]
     ok schwarze jmc
2014-04-20 13:01:30 +10:00
Damien Miller 8f9cd709c7 - djm@cvs.openbsd.org 2014/03/12 04:50:32
[auth-bsdauth.c ssh-keygen.c]
     don't count on things that accept arguments by reference to clear
     things for us on error; most things do, but it's unsafe form.
2014-04-20 13:00:11 +10:00
Damien Miller 6ce35b6cc4 - naddy@cvs.openbsd.org 2014/02/05 20:13:25
[ssh-keygen.1 ssh-keygen.c]
     tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@
     while here, fix ordering in usage(); requested by jmc@
2014-02-07 09:24:14 +11:00
Damien Miller a5103f413b - djm@cvs.openbsd.org 2014/02/02 03:44:32
[auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c]
     [buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c]
     [kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c]
     [monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c]
     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c]
     [ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c]
     [sshd.c]
     convert memset of potentially-private data to explicit_bzero()
2014-02-04 11:20:14 +11:00
Damien Miller 1d2c456426 - tedu@cvs.openbsd.org 2014/01/31 16:39:19
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
     [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
     [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
     [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
     [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
     replace most bzero with explicit_bzero, except a few that cna be memset
     ok djm dtucker
2014-02-04 11:18:20 +11:00
Damien Miller 5be9d9e3cb - markus@cvs.openbsd.org 2013/12/06 13:39:49
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
     [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
     [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
     [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
     [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
     support ed25519 keys (hostkeys and user identities) using the public
     domain ed25519 reference code from SUPERCOP, see
     http://ed25519.cr.yp.to/software.html
     feedback, help & ok djm@
2013-12-07 11:24:01 +11:00
Damien Miller bcd00abd84 - markus@cvs.openbsd.org 2013/12/06 13:34:54
[authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c]
     [ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by
     default; details in PROTOCOL.key; feedback and lots help from djm;
     ok djm@
2013-12-07 10:41:55 +11:00
Damien Miller 0f8536da23 - djm@cvs.openbsd.org 2013/12/06 03:40:51
[ssh-keygen.c]
     remove duplicated character ('g') in getopt() string;
     document the (few) remaining option characters so we don't have to
     rummage next time.
2013-12-07 10:31:37 +11:00
Damien Miller 26506ad293 - (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] Remove
unnecessary arc4random_stir() calls. The only ones left are to ensure
   that the PRNG gets a different state after fork() for platforms that
   have broken the API.
2013-10-26 10:05:46 +11:00
Damien Miller 5b01b0dcb4 - djm@cvs.openbsd.org 2013/10/23 04:16:22
[ssh-keygen.c]
     Make code match documentation: relative-specified certificate expiry time
     should be relative to current time and not the validity start time.
     Reported by Petr Lautrbach; ok deraadt@
2013-10-23 16:31:31 +11:00
Damien Miller 8bab5e7b5f - deraadt@cvs.openbsd.org 2013/09/02 22:00:34
[ssh-keygen.c sshconnect1.c sshd.c]
     All the instances of arc4random_stir() are bogus, since arc4random()
     does this itself, inside itself, and has for a very long time..  Actually,
     this was probably reducing the entropy available.
     ok djm
     ID SYNC ONLY for portable; we don't trust other arc4random implementations
     to do this right.
2013-09-14 09:47:00 +10:00
Damien Miller 660854859c - mikeb@cvs.openbsd.org 2013/08/28 12:34:27
[ssh-keygen.c]
     improve batch processing a bit by making use of the quite flag a bit
     more often and exit with a non zero code if asked to find a hostname
     in a known_hosts file and it wasn't there;
     originally from reyk@,  ok djm
2013-09-14 09:45:03 +10:00
Damien Miller d5d9d7b1fd - djm@cvs.openbsd.org 2013/08/13 18:33:08
[ssh-keygen.c]
     another of the same typo
2013-08-21 02:43:27 +10:00
Damien Miller d234afb0b3 - djm@cvs.openbsd.org 2013/08/13 18:32:08
[ssh-keygen.c]
     typo in error message; from Stephan Rickauer
2013-08-21 02:42:58 +10:00
Damien Miller 3009d3cbb8 - djm@cvs.openbsd.org 2013/07/20 01:44:37
[ssh-keygen.c ssh.c]
     More useful error message on missing current user in /etc/passwd
2013-07-20 13:22:31 +10:00
Damien Miller 5bb8833e80 - djm@cvs.openbsd.org 2013/07/12 05:42:03
[ssh-keygen.c]
     do_print_resource_record() can never be called with a NULL filename, so
     don't attempt (and bungle) asking for one if it has not been specified
     bz#2127 ok dtucker@
2013-07-18 16:13:37 +10:00
Damien Miller 746d1a6c52 - djm@cvs.openbsd.org 2013/07/12 00:20:00
[sftp.c ssh-keygen.c ssh-pkcs11.c]
     fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
2013-07-18 16:13:02 +10:00
Darren Tucker a627d42e51 - djm@cvs.openbsd.org 2013/05/17 00:13:13
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
     ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
     gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
     auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
     servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
     auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
     sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
     kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
     kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
     monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
     ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
     sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
     ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
     dns.c packet.c readpass.c authfd.c moduli.c]
     bye, bye xfree(); ok markus@
2013-06-02 07:31:17 +10:00
Damien Miller 0d6771b464 - djm@cvs.openbsd.org 2013/04/19 01:01:00
[ssh-keygen.c]
     fix some memory leaks; bz#2088 ok dtucker@
2013-04-23 15:23:24 +10:00
Damien Miller 78d22713c7 - djm@cvs.openbsd.org 2013/02/10 23:32:10
[ssh-keygen.c]
     append to moduli file when screening candidates rather than overwriting.
     allows resumption of interrupted screen; patch from Christophe Garault
     in bz#1957; ok dtucker@
2013-02-12 11:03:36 +11:00
Damien Miller 3d6d68b1e1 - jmc@cvs.openbsd.org 2013/01/18 07:59:46
[ssh-keygen.c]
     -u before -V in usage();
2013-01-20 22:33:23 +11:00
Damien Miller f3747bf401 - djm@cvs.openbsd.org 2013/01/17 23:00:01
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
     [krl.c krl.h PROTOCOL.krl]
     add support for Key Revocation Lists (KRLs). These are a compact way to
     represent lists of revoked keys and certificates, taking as little as
     a single bit of incremental cost to revoke a certificate by serial number.
     KRLs are loaded via the existing RevokedKeys sshd_config option.
     feedback and ok markus@
2013-01-18 11:44:04 +11:00
Damien Miller 1422c0887c - djm@cvs.openbsd.org 2013/01/09 05:40:17
[ssh-keygen.c]
     correctly initialise fingerprint type for fingerprinting PKCS#11 keys
2013-01-09 16:44:54 +11:00
Damien Miller ec77c954c8 - djm@cvs.openbsd.org 2013/01/03 23:22:58
[ssh-keygen.c]
     allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ...
     ok markus@
2013-01-09 15:58:00 +11:00
Damien Miller 55aca027ed - djm@cvs.openbsd.org 2012/12/03 00:14:06
[auth2-chall.c ssh-keygen.c]
     Fix compilation with -Wall -Werror (trivial type fixes)
2012-12-03 11:25:30 +11:00
Damien Miller 6f3b362fa8 - djm@cvs.openbsd.org 2012/11/14 02:32:15
[ssh-keygen.c]
     allow the full range of unsigned serial numbers; 'fine' deraadt@
2012-11-14 19:04:33 +11:00
Darren Tucker 0dc283b13a - djm@cvs.openbsd.org 2012/10/02 07:07:45
[ssh-keygen.c]
     fix -z option, broken in revision 1.215
2012-10-05 10:52:51 +10:00
Darren Tucker f09a8a6c6d - djm@cvs.openbsd.org 2012/08/17 01:25:58
[ssh-keygen.c]
     print details of which host lines were deleted when using
     "ssh-keygen -R host"; ok markus@
2012-09-06 21:20:39 +10:00
Damien Miller 709a1e90d9 - jmc@cvs.openbsd.org 2012/07/06 06:38:03
[ssh-keygen.c]
     missing full stop in usage();
2012-07-31 12:20:43 +10:00
Damien Miller dfceafe8b1 - dtucker@cvs.openbsd.org 2012/07/06 00:41:59
[moduli.c ssh-keygen.1 ssh-keygen.c]
     Add options to specify starting line number and number of lines to process
     when screening moduli candidates.  This allows processing of different
     parts of a candidate moduli file in parallel.  man page help jmc@, ok djm@
2012-07-06 13:44:19 +10:00
Damien Miller 3bde12aeef - djm@cvs.openbsd.org 2012/05/23 03:28:28
[dns.c dns.h key.c key.h ssh-keygen.c]
     add support for RFC6594 SSHFP DNS records for ECDSA key types.
     patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
2012-06-20 21:51:11 +10:00
Damien Miller a563cced06 - djm@cvs.openbsd.org 2012/02/29 11:21:26
[ssh-keygen.c]
     allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@
2012-04-22 11:07:28 +10:00
Damien Miller b56e4930ae - (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms
that don't support ECC. Patch from Phil Oleson
2012-02-06 07:41:27 +11:00
Damien Miller 927d82bc6a - jmc@cvs.openbsd.org 2011/10/16 15:02:41
[ssh-keygen.c]
     put -K in the right place (usage());
2011-10-18 16:05:38 +11:00
Damien Miller 390d0561fc - dtucker@cvs.openbsd.org 2011/10/16 11:02:46
[moduli.c ssh-keygen.1 ssh-keygen.c]
     Add optional checkpoints for moduli screening.  feedback & ok deraadt
2011-10-18 16:05:19 +11:00
Darren Tucker 0dd24e02ec - (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929: add null implementations
ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen support.
2011-09-04 19:59:26 +10:00
Damien Miller 2ce12ef1ac - djm@cvs.openbsd.org 2011/05/04 21:15:29
[authfile.c authfile.h ssh-add.c]
     allow "ssh-add - < key"; feedback and ok markus@
2011-05-05 14:17:18 +10:00
Damien Miller 884b63a061 - djm@cvs.openbsd.org 2011/04/12 04:23:50
[ssh-keygen.c]
     fix -Wshadow
2011-05-05 14:14:52 +10:00
Damien Miller 044f4a6cc3 - stevesk@cvs.openbsd.org 2011/03/24 22:14:54
[ssh-keygen.c]
     use strcasecmp() for "clear" cert permission option also; ok djm
2011-05-05 14:14:08 +10:00
Damien Miller 111431963e - stevesk@cvs.openbsd.org 2011/03/23 16:50:04
[ssh-keygen.c]
     remove -d, documentation removed >10 years ago; ok markus
2011-05-05 14:13:25 +10:00
Damien Miller 58f1bafb3d - stevesk@cvs.openbsd.org 2011/03/23 15:16:22
[ssh-keygen.1 ssh-keygen.c]
     Add -A option.  For each of the key types (rsa1, rsa, dsa and ecdsa)
     for which host keys do not exist, generate the host keys with the
     default key file path, an empty passphrase, default bits for the key
     type, and default comment.  This will be used by /etc/rc to generate
     new host keys.  Idea from deraadt.
     ok deraadt
2011-05-05 14:06:15 +10:00
Damien Miller f22019bdbf - (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac]
[entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c]
   [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c]
   [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh]
   [regress/README.regress] Remove ssh-rand-helper and all its
   tentacles. PRNGd seeding has been rolled into entropy.c directly.
   Thanks to tim@ for testing on affected platforms.
2011-05-05 13:48:37 +10:00
Damien Miller 821de0ad2e - djm@cvs.openbsd.org 2011/01/11 06:13:10
[clientloop.c ssh-keygen.c sshd.c]
     some unsigned long long casts that make things a bit easier for
     portable without resorting to dropping PRIu64 formats everywhere
2011-01-11 17:20:29 +11:00
Damien Miller dd190ddfd7 - (djm) [servconf.c ssh-add.c ssh-keygen.c] don't look for ECDSA keys on
platforms that don't support ECC. Fixes some spurious warnings reported
   by tim@
2010-11-11 14:17:02 +11:00
Damien Miller b472a90d4c - djm@cvs.openbsd.org 2010/10/28 11:22:09
[authfile.c key.c key.h ssh-keygen.c]
     fix a possible NULL deref on loading a corrupt ECDH key

     store ECDH group information in private keys files as "named groups"
     rather than as a set of explicit group parameters (by setting
     the OPENSSL_EC_NAMED_CURVE flag). This makes for shorter key files and
     retrieves the group's OpenSSL NID that we need for various things.
2010-11-05 10:19:49 +11:00
Damien Miller 6af914a15c - (djm) [authfd.c authfile.c bufec.c buffer.h configure.ac kex.h kexecdh.c]
[kexecdhc.c kexecdhs.c key.c key.h myproposal.h packet.c readconf.c]
   [ssh-agent.c ssh-ecdsa.c ssh-keygen.c ssh.c] Disable ECDH and ECDSA on
   platforms that don't have the requisite OpenSSL support. ok dtucker@
2010-09-10 11:39:26 +10:00
Damien Miller 6e9f680cd2 - naddy@cvs.openbsd.org 2010/09/02 17:21:50
[ssh-keygen.c]
     Switch ECDSA default key size to 256 bits, which according to RFC5656
     should still be better than our current RSA-2048 default.
     ok djm@, markus@
2010-09-10 11:17:38 +10:00
Damien Miller 5773794d55 - markus@cvs.openbsd.org 2010/09/02 16:07:25
[ssh-keygen.c]
     permit -b 256, 384 or 521 as key size for ECDSA; ok djm@
2010-09-10 11:16:37 +10:00
Damien Miller 4314c2b548 - djm@cvs.openbsd.org 2010/08/31 12:33:38
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
     reintroduce commit from tedu@, which I pulled out for release
     engineering:
       OpenSSL_add_all_algorithms is the name of the function we have a
       man page for, so use that.  ok djm
2010-09-10 11:12:09 +10:00
Damien Miller eb8b60e320 - djm@cvs.openbsd.org 2010/08/31 11:54:45
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
     [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
     [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
     [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
     [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
     [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
     Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
     host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
     better performance than plain DH and DSA at the same equivalent symmetric
     key length, as well as much shorter keys.

     Only the mandatory sections of RFC5656 are implemented, specifically the
     three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
     ECDSA. Point compression (optional in RFC5656 is NOT implemented).

     Certificate host and user keys using the new ECDSA key types are supported.

     Note that this code has not been tested for interoperability and may be
     subject to change.

     feedback and ok markus@
2010-08-31 22:41:14 +10:00
Damien Miller d96546f5b0 - djm@cvs.openbsd.org 2010/08/16 04:06:06
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
     backout previous temporarily; discussed with deraadt@
2010-08-31 22:32:12 +10:00
Damien Miller 9b87e79538 - tedu@cvs.openbsd.org 2010/08/12 23:34:39
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
     OpenSSL_add_all_algorithms is the name of the function we have a man page
     for, so use that.  ok djm
2010-08-31 22:31:37 +10:00
Damien Miller 757f34e051 - djm@cvs.openbsd.org 2010/08/04 06:07:11
[ssh-keygen.1 ssh-keygen.c]
     Support CA keys in PKCS#11 tokens; feedback and ok markus@
2010-08-05 13:05:31 +10:00
Damien Miller 1da6388959 - djm@cvs.openbsd.org 2010/08/04 05:40:39
[PROTOCOL.certkeys ssh-keygen.c]
     tighten the rules for certificate encoding by requiring that options
     appear in lexical order and make our ssh-keygen comply. ok markus@
2010-08-05 13:03:51 +10:00
Damien Miller 844cccfc1a - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/07/16 04:45:30
     [ssh-keygen.c]
     avoid bogus compiler warning
2010-08-03 16:03:29 +10:00
Damien Miller 6022f58e3a - jmc@cvs.openbsd.org 2010/06/30 07:26:03
[ssh-keygen.c]
     sort usage();
2010-07-02 13:37:01 +10:00
Damien Miller 44b2504011 - djm@cvs.openbsd.org 2010/06/29 23:15:30
[ssh-keygen.1 ssh-keygen.c]
     allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys;
     bz#1749; ok markus@
2010-07-02 13:35:01 +10:00
Damien Miller d834d35834 - djm@cvs.openbsd.org 2010/06/23 02:59:02
[ssh-keygen.c]
     fix printing of extensions in v01 certificates that I broke in r1.190
2010-06-26 09:48:02 +10:00
Damien Miller ba3420acd2 - djm@cvs.openbsd.org 2010/06/22 04:32:06
[ssh-keygen.c]
     standardise error messages when attempting to open private key
     files to include "progname: filename: error reason"
     bz#1783; ok dtucker@
2010-06-26 09:39:07 +10:00
Damien Miller d0e4a8e2e0 - djm@cvs.openbsd.org 2010/05/20 23:46:02
[PROTOCOL.certkeys auth-options.c ssh-keygen.c]
     Move the permit-* options to the non-critical "extensions" field for v01
     certificates. The logic is that if another implementation fails to
     implement them then the connection just loses features rather than fails
     outright.

     ok markus@
2010-05-21 14:58:32 +10:00
Damien Miller bebbb7e8a5 - djm@cvs.openbsd.org 2010/04/23 22:48:31
[ssh-keygen.c]
     refuse to generate keys longer than OPENSSL_[RD]SA_MAX_MODULUS_BITS,
     since we would refuse to use them anyway. bz#1516; ok dtucker@
2010-05-10 11:54:38 +10:00
Damien Miller 50af79b118 - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/04/23 01:47:41
     [ssh-keygen.c]
     bz#1740: display a more helpful error message when $HOME is
     inaccessible while trying to create .ssh directory. Based on patch
     from jchadima AT redhat.com; ok dtucker@
2010-05-10 11:52:00 +10:00
Damien Miller 1f181425e9 - jmc@cvs.openbsd.org 2010/04/16 06:47:04
[ssh-keygen.1 ssh-keygen.c]
     tweak previous; ok djm
2010-04-18 08:08:03 +10:00
Damien Miller 4e270b05dd - djm@cvs.openbsd.org 2010/04/16 01:47:26
[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c]
     [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c]
     [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c]
     [sshconnect.c sshconnect2.c sshd.c]
     revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
     following changes:

     move the nonce field to the beginning of the certificate where it can
     better protect against chosen-prefix attacks on the signature hash

     Rename "constraints" field to "critical options"

     Add a new non-critical "extensions" field

     Add a serial number

     The older format is still support for authentication and cert generation
     (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)

     ok markus@
2010-04-16 15:56:21 +10:00
Damien Miller 1cfbfaf4a0 - stevesk@cvs.openbsd.org 2010/03/15 19:40:02
[key.c key.h ssh-keygen.c]
     also print certificate type (user or host) for ssh-keygen -L
     ok djm kettenis
2010-03-22 05:58:24 +11:00
Damien Miller 3e1ee491f3 - djm@cvs.openbsd.org 2010/03/07 22:16:01
[ssh-keygen.c]
     make internal strptime string match strftime format;
     suggested by vinschen AT redhat.com and markus@
2010-03-08 09:24:11 +11:00
Damien Miller 689b872842 - djm@cvs.openbsd.org 2010/03/04 23:27:25
[auth-options.c ssh-keygen.c]
     "force-command" is not spelled "forced-command"; spotted by
     imorgan AT nas.nasa.gov
2010-03-05 10:42:24 +11:00
Damien Miller f2b70cad75 - djm@cvs.openbsd.org 2010/03/04 20:35:08
[ssh-keygen.1 ssh-keygen.c]
     Add a -L flag to print the contents of a certificate; ok markus@
2010-03-05 07:39:35 +11:00
Damien Miller 1aed65eb27 - djm@cvs.openbsd.org 2010/03/04 10:36:03
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
     [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
     [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
     Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
     are trusted to authenticate users (in addition than doing it per-user
     in authorized_keys).

     Add a RevokedKeys option to sshd_config and a @revoked marker to
     known_hosts to allow keys to me revoked and banned for user or host
     authentication.

     feedback and ok markus@
2010-03-04 21:53:35 +11:00
Damien Miller 910f209c1d - (djm) [ssh-keygen.c] Use correct local variable, instead of
maybe-undefined global "optarg"
2010-03-04 14:17:22 +11:00
Damien Miller 2ca342b84b - djm@cvs.openbsd.org 2010/03/02 23:20:57
[ssh-keygen.c]
     POSIX strptime is stricter than OpenBSD's so do a little dance to
     appease it.
2010-03-03 12:14:15 +11:00
Damien Miller 0a80ca190a - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/02/26 20:29:54
     [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
     [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
     [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
     [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
     [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
     [sshconnect2.c sshd.8 sshd.c sshd_config.5]
     Add support for certificate key types for users and hosts.

     OpenSSH certificate key types are not X.509 certificates, but a much
     simpler format that encodes a public key, identity information and
     some validity constraints and signs it with a CA key. CA keys are
     regular SSH keys. This certificate style avoids the attack surface
     of X.509 certificates and is very easy to deploy.

     Certified host keys allow automatic acceptance of new host keys
     when a CA certificate is marked as sh/known_hosts.
     see VERIFYING HOST KEYS in ssh(1) for details.

     Certified user keys allow authentication of users when the signing
     CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
     FILE FORMAT" in sshd(8) for details.

     Certificates are minted using ssh-keygen(1), documentation is in
     the "CERTIFICATES" section of that manpage.

     Documentation on the format of certificates is in the file
     PROTOCOL.certkeys

     feedback and ok markus@
2010-02-27 07:55:05 +11:00
Damien Miller 86cbb44d47 - djm@cvs.openbsd.org 2010/02/09 00:50:59
[ssh-keygen.c]
     fix -Wall
2010-02-12 09:22:57 +11:00
Damien Miller 7ea845e48d - markus@cvs.openbsd.org 2010/02/08 10:50:20
[pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c]
     [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5]
     replace our obsolete smartcard code with PKCS#11.
        ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
     ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
     provider (shared library) while ssh-agent(1) delegates PKCS#11 to
     a forked a ssh-pkcs11-helper process.
     PKCS#11 is currently a compile time option.
     feedback and ok djm@; inspired by patches from Alon Bar-Lev
`
2010-02-12 09:21:02 +11:00
Darren Tucker d04758dc4c - djm@cvs.openbsd.org 2010/01/11 10:51:07
[ssh-keygen.c]
     when converting keys, truncate key comments at 72 chars as per RFC4716;
     bz#1630 reported by tj AT castaglia.org; ok markus@
2010-01-12 19:41:57 +11:00
Darren Tucker 9bcd25b78b - djm@cvs.openbsd.org 2009/08/27 17:33:49
[ssh-keygen.c]
     force use of correct hash function for random-art signature display
     as it was inheriting the wrong one when bubblebabble signatures were
     activated; bz#1611 report and patch from fwojcik+openssh AT besh.com;
     ok markus@
2009-10-07 08:45:48 +11:00
Darren Tucker 821d3dbe36 - dtucker@cvs.openbsd.org 2009/06/22 05:39:28
[monitor_wrap.c monitor_mm.c ssh-keygen.c auth2.c gss-genr.c sftp-client.c]
     alphabetize includes; reduces diff vs portable and style(9).
     ok stevesk djm
     (Id sync only; these were already in order in -portable)
2009-06-22 16:11:06 +10:00
Damien Miller 9eab9564d5 - (djm) OpenBSD CVS Sync
- tobias@cvs.openbsd.org 2009/02/21 19:32:04
     [misc.c sftp-server-main.c ssh-keygen.c]
     Added missing newlines in error messages.
     ok dtucker
2009-02-22 08:47:02 +11:00
Darren Tucker e15fb09847 - stevesk@cvs.openbsd.org 2008/11/07 00:42:12
[ssh-keygen.c]
     spelling/typo in comment
2008-11-11 16:31:43 +11:00
Damien Miller 81dec0589a - sthen@cvs.openbsd.org 2008/07/13 21:22:52
[ssh-keygen.c]
     Change "ssh-keygen -F [host] -l" to not display random art unless
     -v is also specified, making it consistent with the manual and other
     uses of -l.
     ok grunk@
2008-07-14 11:28:29 +10:00
Darren Tucker b68fb4ad21 - grunk@cvs.openbsd.org 2008/06/12 21:14:46
[ssh-keygen.c]
     make ssh-keygen -lf show the key type just as ssh-add -l would do it
     ok djm@ markus@
2008-06-13 08:57:27 +10:00
Darren Tucker 35c45535ea - grunk@cvs.openbsd.org 2008/06/11 22:20:46
[ssh-keygen.c ssh-keygen.1]
     ssh-keygen would write fingerprints to STDOUT, and random art to STDERR,
     that is not how it was envisioned.
     Also correct manpage saying that -v is needed along with -l for it to work.
     spotted by naddy@
2008-06-13 04:43:15 +10:00
Darren Tucker a376a32e8e - grunk@cvs.openbsd.org 2008/06/11 21:38:25
[ssh-keygen.c]
     ssh-keygen -lv -f /etc/ssh/ssh_host_rsa_key.pub
     would not display you the random art as intended, spotted by canacar@
2008-06-13 04:42:14 +10:00
Darren Tucker 9c16ac9263 - grunk@cvs.openbsd.org 2008/06/11 21:01:35
[ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c
      sshconnect.c]
     Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the
     graphical hash visualization schemes known as "random art", and by
     Dan Kaminsky's musings on the subject during a BlackOp talk at the
     23C3 in Berlin.
     Scientific publication (original paper):
     "Hash Visualization: a New Technique to improve Real-World Security",
     Perrig A. and Song D., 1999, International Workshop on Cryptographic
     Techniques and E-Commerce (CrypTEC '99)
     http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
     The algorithm used here is a worm crawling over a discrete plane,
     leaving a trace (augmenting the field) everywhere it goes.
     Movement is taken from dgst_raw 2bit-wise.  Bumping into walls
     makes the respective movement vector be ignored for this turn,
     thus switching to the other color of the chessboard.
     Graphs are not unambiguous for now, because circles in graphs can be
     walked in either direction.
     discussions with several people,
     help, corrections and ok markus@ djm@
2008-06-13 04:40:35 +10:00
Darren Tucker 0f7e910604 - djm@cvs.openbsd.org 2008/05/19 15:46:31
[ssh-keygen.c]
     support -l (print fingerprint) in combination with -F (find host) to
     search for a host in ~/.ssh/known_hosts and display its fingerprint;
     ok markus@
2008-06-08 12:54:29 +10:00
Darren Tucker bfaaf960a0 - (dtucker) [includes.h ssh-add.c ssh-agent.c ssh-keygen.c ssh.c sshd.c
openbsd-compat/openssl-compat.{c,h}] Bug #1437 Move the OpenSSL compat
   header to after OpenSSL headers, since some versions of OpenSSL have
   SSLeay_add_all_algorithms as a macro already.
2008-02-28 19:13:52 +11:00
Damien Miller cb2fbb2407 - djm@cvs.openbsd.org 2008/01/19 22:37:19
[ssh-keygen.c]
     unbreak line numbering (broken in revision 1.164), fix error message
2008-02-10 22:24:55 +11:00
Damien Miller a8796f3fcc - djm@cvs.openbsd.org 2008/01/19 22:22:58
[ssh-keygen.c]
     when hashing individual hosts (ssh-keygen -Hf hostname), make sure we
     hash just the specified hostname and not the entire hostspec from the
     keyfile. It may be of the form "hostname,ipaddr", which would lead to
     a hash that never matches. report and fix from jp AT devnull.cz
2008-02-10 22:24:30 +11:00
Damien Miller 0f4ed693d6 - chl@cvs.openbsd.org 2007/10/02 17:49:58
[ssh-keygen.c]
     handles zero-sized strings that fgets can return
2007-10-26 14:26:32 +10:00
Damien Miller 14b017d6f2 - gilles@cvs.openbsd.org 2007/09/11 15:47:17
[session.c ssh-keygen.c sshlogin.c]
     use strcspn to properly overwrite '\n' in fgets returned buffer
     ok pyr@, ray@, millert@, moritz@, chl@
2007-09-17 16:09:15 +10:00
Damien Miller 5cbe7ca18d - sobrado@cvs.openbsd.org 2007/09/09 11:38:01
[ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.c]
     sort synopsis and options in ssh-agent(1); usage is lowercase
     ok jmc@
2007-09-17 16:05:50 +10:00
Darren Tucker 82a3d2bc6f - stevesk@cvs.openbsd.org 2007/01/21 01:41:54
[auth-skey.c kex.c ssh-keygen.c session.c clientloop.c]
     spaces
2007-02-19 22:10:25 +11:00
Darren Tucker 26dc3e656a - jmc@cvs.openbsd.org 2007/01/12 20:20:41
[ssh-keygen.1 ssh-keygen.c]
     more secsh -> rfc 4716 updates;
     spotted by wiz@netbsd
     ok markus
2007-02-19 22:09:06 +11:00
Darren Tucker 9ac56e945b - (dtucker) [ssh-keygen.c] ac -> argv to match earlier sync. 2007-01-14 10:19:59 +11:00
Damien Miller 80163907ed - stevesk@cvs.openbsd.org 2007/01/03 03:01:40
[auth2-chall.c channels.c dns.c sftp.c ssh-keygen.c ssh.c]
     spaces
2007-01-05 16:30:16 +11:00
Damien Miller 6c7439f963 - stevesk@cvs.openbsd.org 2007/01/03 00:53:38
[ssh-keygen.c]
     remove small dead code; arnaud.lacombe.1@ulaval.ca via Coverity scan
2007-01-05 16:29:55 +11:00
Damien Miller df8b7db16e - (djm) OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2006/11/14 19:41:04
     [ssh-keygen.c]
     use argc and argv not some made up short form
2007-01-05 16:22:57 +11:00
Darren Tucker 0bc85579a9 - markus@cvs.openbsd.org 2006/11/06 21:25:28
[auth-rsa.c kexgexc.c kexdhs.c key.c ssh-dss.c sshd.c kexgexs.c
     ssh-keygen.c bufbn.c moduli.c scard.c kexdhc.c sshconnect1.c dh.c rsa.c]
     add missing checks for openssl return codes; with & ok djm@
2006-11-07 23:14:41 +11:00
Damien Miller ded319cca2 - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c]
[auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c]
   [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c]
   [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c]
   [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
   [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c]
   [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c]
   [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c]
   [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c]
   [sshconnect1.c sshconnect2.c sshd.c rc4.diff]
   [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c]
   [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c]
   [openbsd-compat/port-uw.c]
   Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h;
   compile problems reported by rac AT tenzing.org
2006-09-01 15:38:36 +10:00
Damien Miller d783435315 - deraadt@cvs.openbsd.org 2006/08/03 03:34:42
[OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
     [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
     [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
     [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
     [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
     [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
     [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
     [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
     [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
     [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
     [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
     [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
     [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
     [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
     [serverloop.c session.c session.h sftp-client.c sftp-common.c]
     [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
     [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
     [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
     [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
     [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
     [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
     almost entirely get rid of the culture of ".h files that include .h files"
     ok djm, sort of ok stevesk
     makes the pain stop in one easy step
     NB. portable commit contains everything *except* removing includes.h, as
     that will take a fair bit more work as we move headers that are required
     for portability workarounds to defines.h. (also, this step wasn't "easy")
2006-08-05 12:39:39 +10:00
Damien Miller a7a73ee35d - stevesk@cvs.openbsd.org 2006/08/01 23:22:48
[auth-passwd.c auth-rhosts.c auth-rsa.c auth.c auth.h auth1.c]
     [auth2-chall.c auth2-pubkey.c authfile.c buffer.c canohost.c]
     [channels.c clientloop.c dh.c dns.c dns.h hostfile.c kex.c kexdhc.c]
     [kexgexc.c kexgexs.c key.c key.h log.c misc.c misc.h moduli.c]
     [monitor_wrap.c packet.c progressmeter.c readconf.c readpass.c scp.c]
     [servconf.c session.c sftp-client.c sftp-common.c sftp-server.c sftp.c]
     [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh.c sshconnect.c]
     [sshconnect1.c sshconnect2.c sshd.c sshlogin.c sshtty.c uuencode.c]
     [uuencode.h xmalloc.c]
     move #include <stdio.h> out of includes.h
2006-08-05 11:37:59 +10:00
Damien Miller e7a1e5cf63 - stevesk@cvs.openbsd.org 2006/07/26 13:57:17
[authfd.c authfile.c dh.c canohost.c channels.c clientloop.c compat.c]
     [hostfile.c kex.c log.c misc.c moduli.c monitor.c packet.c readpass.c]
     [scp.c servconf.c session.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
     [ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c sshconnect.c]
     [sshconnect1.c sshd.c xmalloc.c]
     move #include <stdlib.h> out of includes.h
2006-08-05 11:34:19 +10:00
Damien Miller 8dbffe7904 - stevesk@cvs.openbsd.org 2006/07/26 02:35:17
[atomicio.c auth.c dh.c authfile.c buffer.c clientloop.c kex.c]
     [groupaccess.c gss-genr.c kexgexs.c misc.c monitor.c monitor_mm.c]
     [packet.c scp.c serverloop.c session.c sftp-client.c sftp-common.c]
     [sftp-server.c sftp.c ssh-add.c ssh-agent.c ssh-keygen.c sshlogin.c]
     [uidswap.c xmalloc.c]
     move #include <sys/param.h> out of includes.h
2006-08-05 11:02:17 +10:00
Damien Miller b8fe89c4d9 - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c]
[canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c]
   [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c]
   [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c]
   [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c]
   [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c]
   [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c]
   [openbsd-compat/mktemp.c openbsd-compat/port-linux.c]
   [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
   [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c]
   make the portable tree compile again - sprinkle unistd.h and string.h
   back in. Don't redefine __unused, as it turned out to be used in
   headers on Linux, and replace its use in auth-pam.c with ARGSUSED
2006-07-24 14:51:00 +10:00
Damien Miller e3476ed03b - stevesk@cvs.openbsd.org 2006/07/22 20:48:23
[atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c]
     [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c]
     [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c]
     [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c]
     [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c]
     [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c]
     [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c]
     [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c]
     [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c]
     [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c]
     [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
     [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c]
     [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c]
     move #include <string.h> out of includes.h
2006-07-24 14:13:33 +10:00
Damien Miller e6b3b610ec - stevesk@cvs.openbsd.org 2006/07/17 01:31:10
[authfd.c authfile.c channels.c cleanup.c clientloop.c groupaccess.c]
     [includes.h log.c misc.c msg.c packet.c progressmeter.c readconf.c]
     [readpass.c scp.c servconf.c sftp-client.c sftp-server.c sftp.c]
     [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c]
     [sshconnect.c sshlogin.c sshpty.c uidswap.c]
     move #include <unistd.h> out of includes.h
2006-07-24 14:01:23 +10:00
Damien Miller be43ebf975 - stevesk@cvs.openbsd.org 2006/07/12 22:28:52
[auth-options.c canohost.c channels.c includes.h readconf.c servconf.c ssh-keyscan.c ssh.c sshconnect.c sshd.c]
     move #include <netdb.h> out of includes.h; ok djm@
2006-07-24 13:51:51 +10:00
Darren Tucker 3997249346 - stevesk@cvs.openbsd.org 2006/07/11 20:07:25
[scp.c auth.c monitor.c serverloop.c sftp-server.c sshpty.c readpass.c
     sshd.c monitor_wrap.c monitor_fdpass.c ssh-agent.c ttymodes.c atomicio.c
     includes.h session.c sshlogin.c monitor_mm.c packet.c sshconnect2.c
     sftp-client.c nchan.c clientloop.c sftp.c misc.c canohost.c channels.c
     ssh-keygen.c progressmeter.c uidswap.c msg.c readconf.c sshconnect.c]
     move #include <errno.h> out of includes.h; ok markus@
2006-07-12 22:22:46 +10:00
Darren Tucker 2ee50c5cce - (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c
openbsd-compat/daemon.c] Add includes needed by open(2).  Conditionally
   include paths.h.  Fixes build error on Solaris.
2006-07-11 18:55:05 +10:00
Damien Miller 57cf638577 - stevesk@cvs.openbsd.org 2006/07/09 15:15:11
[auth2-none.c authfd.c authfile.c includes.h misc.c monitor.c]
     [readpass.c scp.c serverloop.c sftp-client.c sftp-server.c]
     [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
     [sshlogin.c sshpty.c]
     move #include <fcntl.h> out of includes.h
2006-07-10 21:13:46 +10:00
Damien Miller e3b60b524e - stevesk@cvs.openbsd.org 2006/07/08 21:47:12
[authfd.c canohost.c clientloop.c dns.c dns.h includes.h]
     [monitor_fdpass.c nchan.c packet.c servconf.c sftp.c ssh-agent.c]
     [ssh-keyscan.c ssh.c sshconnect.h sshd.c sshlogin.h]
     move #include <sys/socket.h> out of includes.h
2006-07-10 21:08:03 +10:00
Damien Miller 69996104fe - stevesk@cvs.openbsd.org 2006/07/06 16:22:39
[ssh-keygen.c]
     move #include "dns.h" up
2006-07-10 20:53:31 +10:00
Damien Miller 9f2abc47eb - stevesk@cvs.openbsd.org 2006/07/06 16:03:53
[auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c]
     [auth-rhosts.c auth-rsa.c auth.c auth.h auth2-hostbased.c]
     [auth2-pubkey.c auth2.c includes.h misc.c misc.h monitor.c]
     [monitor_wrap.c monitor_wrap.h scp.c serverloop.c session.c]
     [session.h sftp-common.c ssh-add.c ssh-keygen.c ssh-keysign.c]
     [ssh.c sshconnect.c sshconnect.h sshd.c sshpty.c sshpty.h uidswap.c]
     [uidswap.h]
     move #include <pwd.h> out of includes.h; ok markus@
2006-07-10 20:53:08 +10:00
Damien Miller 40b5985fe0 - markus@cvs.openbsd.org 2006/05/17 12:43:34
[scp.c sftp.c ssh-agent.c ssh-keygen.c sshconnect.c]
     fix leak; coverity via Kylene Jo Hall
2006-06-13 13:00:25 +10:00
Damien Miller e23209f434 - dtucker@cvs.openbsd.org 2006/03/30 11:05:17
[ssh-keygen.c]
     Correctly handle truncated files while converting keys; ok djm@
2006-03-31 23:13:35 +11:00
Damien Miller 5f340065fc - deraadt@cvs.openbsd.org 2006/03/25 18:40:14
[ssh-keygen.c]
     cast strtonum() result to right type
2006-03-26 14:27:57 +11:00
Damien Miller 57c30117c1 - djm@cvs.openbsd.org 2006/03/25 13:17:03
[atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c]
     [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c]
     [auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
     [auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c]
     [buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c]
     [cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c]
     [deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c]
     [kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c]
     [mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c]
     [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c]
     [readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c]
     [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c]
     [sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
     [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
     [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
     [uidswap.c uuencode.c xmalloc.c]
     Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
     Theo nuked - our scripts to sync -portable need them in the files
2006-03-26 14:24:48 +11:00