exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are
disabled by default)
OpenBSD-Commit-ID: 2bf582b772d81ee24e911bb6f4b2aecfd39338ae
to obtain known_hosts data from a command in addition to the usual files.
The command accepts bunch of %-expansions, including details of the
connection and the offered server host key. Note that the command may
be invoked up to three times per connection (see the manpage for
details).
ok markus@
OpenBSD-Commit-ID: 2433cff4fb323918ae968da6ff38feb99b4d33d0
make privilege dropping optional but allow it via callbacks (to avoid
need to link uidswap.c everywhere)
add some other flags (keep environment, disable strict path safety check)
that make this more useful for client-side use.
feedback & ok markus@
OpenBSD-Commit-ID: a80ea9fdcc156f1a18e9c166122c759fae1637bf
rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc which was
standardized in RFC4253 (2006), has been deprecated and disabled by default
since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001.
This will reduce the amount of work the cipher/kex regression tests need
to do by a little bit. ok markus@ djm@
OpenBSD-Commit-ID: fb460acc18290a998fd70910b19c29b4e4f199ad
pointing out my error (parse_ssh_uri() can return -1/0/1, that I missed).
Reported by Raf Czlonka via bugs@
ok tb@
OpenBSD-Commit-ID: a2991a3794bcaf1ca2b025212cce11cdb5f6b7d6
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a
FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using
these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line
structs that is passed directly from the load_hostkeys() and
hostkeys_foreach() call. This is a lightweight way to annotate results
between different invocations of load_hostkeys().
ok markus@
OpenBSD-Commit-ID: 6ff6db13ec9ee4edfa658b2c38baad0f505d8c20
consolidate the common arguments into a single struct and pass that around
instead of using a bunch of globals. ok markus@
OpenBSD-Commit-ID: 035e6d7ca9145ad504f6af5a021943f1958cd19b
TCP connect. The connection phase of the SSH session is time-sensitive (due
to server side login grace periods) and is frequently interactive (e.g.
entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after
authentication completes.
ok dtucker@
OpenBSD-Commit-ID: f31ab10d9233363a6d2c9996007083ba43a093f1
report the type because it is ambiguous as to whether it referred to the
known or new host key. bz3216; ok dtucker@
OpenBSD-Commit-ID: 2d5ce4a83dbcf44e340a572e361decad8aab7bad
djm@openbsd.org
dtucker@openbsd.org
tobhe@openbsd.org
Darren Tucker
Damien Miller
jmc@openbsd.org
tb@openbsd.org