djm@openbsd.org
45ffa36988
upstream: show the "please touch your security key" notifier when
...
using the (default) build-in security key support.
OpenBSD-Commit-ID: 4707643aaa7124501d14e92d1364b20f312a6428
2019-11-15 13:41:40 +11:00
djm@openbsd.org
49dc9fa928
upstream: close the "touch your security key" notifier on the error
...
path too
OpenBSD-Commit-ID: c7628bf80505c1aefbb1de7abc8bb5ee51826829
2019-11-15 13:41:40 +11:00
djm@openbsd.org
22a82712e8
upstream: correct function name in debug message
...
OpenBSD-Commit-ID: 2482c99d2ce448f39282493050f8a01e3ffc39ab
2019-11-15 13:41:40 +11:00
djm@openbsd.org
018e2902a6
upstream: follow existing askpass logic for security key notifier:
...
fall back to _PATH_SSH_ASKPASS_DEFAULT if no $SSH_ASKPASS environment
variable is set.
OpenBSD-Commit-ID: cda753726b13fb797bf7a9f7a0b3022d9ade4520
2019-11-15 13:41:40 +11:00
djm@openbsd.org
575d0042a9
upstream: remove debugging goop that snuck in to last commit
...
OpenBSD-Commit-ID: 8ea4455a2d9364a0a04f9e4a2cbfa4c9fcefe77e
2019-11-15 13:41:40 +11:00
Damien Miller
63a5b24f2d
don't fatal if libfido2 not found
...
spotted by dtucker@
2019-11-15 11:21:49 +11:00
Damien Miller
129952a81c
correct object dependency
2019-11-15 11:17:12 +11:00
djm@openbsd.org
6bff9521ab
upstream: directly support U2F/FIDO2 security keys in OpenSSH by
...
linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for Bluetooth, NFC
and test/debugging.
OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
2019-11-15 09:57:30 +11:00
markus@openbsd.org
4f5e331cb8
upstream: in order to be able to figure out the number of
...
signatures left on a shielded key, we need to transfer the number of
signatures left from the private to the public key. ok djm@
OpenBSD-Commit-ID: 8a5d0d260aeace47d372695fdae383ce9b962574
2019-11-15 08:50:10 +11:00
markus@openbsd.org
dffd02e297
upstream: fix check for sig_s; noted by qsa at qualys.com
...
OpenBSD-Commit-ID: 34198084e4afb424a859f52c04bb2c9668a52867
2019-11-15 08:50:10 +11:00
dtucker@openbsd.org
fc173aeb15
upstream: When clients get denied by MaxStartups, send a
...
noification prior to the SSH2 protocol banner according to RFC4253 section
4.2. ok djm@ deraadt@ markus@
OpenBSD-Commit-ID: e5dabcb722d54dea18eafb336d50b733af4f9c63
2019-11-15 08:50:10 +11:00
markus@openbsd.org
bf219920b7
upstream: fix shield/unshield for xmss keys: - in ssh-agent we need
...
to delay the call to shield until we have received key specific options. -
when serializing xmss keys for shield we need to deal with all optional
components (e.g. state might not be loaded). ok djm@
OpenBSD-Commit-ID: cc2db82524b209468eb176d6b4d6b9486422f41f
2019-11-15 08:50:10 +11:00
deraadt@openbsd.org
40598b85d7
upstream: remove size_t gl_pathc < 0 test, it is invalid. the
...
return value from glob() is sufficient. discussed with djm
OpenBSD-Commit-ID: c91203322db9caaf7efaf5ae90c794a91070be3c
2019-11-15 08:50:10 +11:00
deraadt@openbsd.org
72687c8e7c
upstream: stdarg.h required more broadly; ok djm
...
OpenBSD-Commit-ID: b5b15674cde1b54d6dbbae8faf30d47e6e5d6513
2019-11-15 08:50:10 +11:00
Darren Tucker
1e0b248d47
Put sshsk_sign call inside ifdef ENABLE_SK.
...
Fixes build against OpenSSL configured without ECC.
2019-11-14 16:08:17 +11:00
Darren Tucker
546274a6f8
Remove duplicate __NR_clock_nanosleep
2019-11-13 23:27:31 +11:00
Darren Tucker
b1c82f4b8a
seccomp: Allow clock_nanosleep() in sandbox.
...
seccomp: Allow clock_nanosleep() to make OpenSSH working with latest
glibc. Patch from Jakub Jelen <jjelen@redhat.com> via bz #3093 .
2019-11-13 23:19:35 +11:00
Darren Tucker
2b523d2380
Include stdarg.h for va_list in xmalloc.h.
2019-11-13 11:56:56 +11:00
Darren Tucker
245dcbdca5
Put headers inside ifdef _AIX.
...
Prevents compile errors due to missing definitions (eg va_list) on
non-AIX platforms.
2019-11-13 11:19:26 +11:00
Darren Tucker
a4cc579c6a
Fix comment in match_usergroup_pattern_list.
...
Spotted by balu.gajjala@gmail.com via bz#3092.
2019-11-13 10:42:46 +11:00
djm@openbsd.org
fccff339ca
upstream: allow an empty attestation certificate returned by a
...
security key enrollment - these are possible for tokens that only offer self-
attestation. This also needs support from the middleware.
ok markus@
OpenBSD-Commit-ID: 135eeeb937088ef6830a25ca0bbe678dfd2c57cc
2019-11-13 10:15:47 +11:00
djm@openbsd.org
e44bb61824
upstream: security keys typically need to be tapped/touched in
...
order to perform a signature operation. Notify the user when this is expected
via the TTY (if available) or $SSH_ASKPASS if we can.
ok markus@
OpenBSD-Commit-ID: 0ef90a99a85d4a2a07217a58efb4df8444818609
2019-11-13 10:15:47 +11:00
djm@openbsd.org
4671211068
upstream: pass SSH_ASKPASS_PROMPT hint to y/n key confirm too
...
OpenBSD-Commit-ID: 08d46712e5e5f1bad0aea68e7717b7bec1ab8959
2019-11-13 10:15:46 +11:00
djm@openbsd.org
5d1c1590d7
upstream: dd API for performing one-shot notifications via tty or
...
SSH_ASKPASS
OpenBSD-Commit-ID: 9484aea33aff5b62ce3642bf259546c7639f23f3
2019-11-13 10:15:46 +11:00
djm@openbsd.org
166927fd41
upstream: add xvasprintf()
...
OpenBSD-Commit-ID: e5e3671c05c121993b034db935bce1a7aa372247
2019-11-13 10:15:46 +11:00
Darren Tucker
782093ec6c
Remove leftover if statement from sync.
2019-11-13 09:08:55 +11:00
markus@openbsd.org
b556cc3cbf
upstream: remove extra layer for ed25519 signature; ok djm@
...
OpenBSD-Commit-ID: 7672d9d0278b4bf656a12d3aab0c0bfe92a8ae47
2019-11-13 08:54:09 +11:00
markus@openbsd.org
3fcf69ace1
upstream: check sig_r and sig_s for ssh-sk keys; ok djm
...
OpenBSD-Commit-ID: 1a1e6a85b5f465d447a3800f739e35c5b74e0abc
2019-11-13 08:54:09 +11:00
markus@openbsd.org
2c55744a56
upstream: enable ed25519 support; ok djm
...
OpenBSD-Commit-ID: 1a399c5b3ef15bd8efb916110cf5a9e0b554ab7e
2019-11-13 08:54:09 +11:00
markus@openbsd.org
fd1a3b5e38
upstream: update sk-api to version 2 for ed25519 support; ok djm
...
OpenBSD-Commit-ID: 77aa4d5b6ab17987d8a600907b49573940a0044a
2019-11-13 08:49:59 +11:00
markus@openbsd.org
7c32b51edb
upstream: implement sshsk_ed25519_assemble(); ok djm
...
OpenBSD-Commit-ID: af9ec838b9bc643786310b5caefc4ca4754e68c6
2019-11-13 08:49:52 +11:00
markus@openbsd.org
fe05a36dc0
upstream: implement sshsk_ed25519_inner_sig(); ok djm
...
OpenBSD-Commit-ID: f422d0052c6d948fe0e4b04bc961f37fdffa0910
2019-11-13 08:49:52 +11:00
markus@openbsd.org
e03a29e655
upstream: rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
...
OpenBSD-Commit-ID: 1524042e09d81e54c4470d7bfcc0194c5b46fe19
2019-11-13 08:49:52 +11:00
markus@openbsd.org
bc7b5d6187
upstream: factor out sshsk_ecdsa_inner_sig(); ok djm@
...
OpenBSD-Commit-ID: 07e41997b542f670a15d7e2807143fe01efef584
2019-11-13 08:48:48 +11:00
markus@openbsd.org
cef84a062d
upstream: factor out sshsk_ecdsa_assemble(); ok djm@
...
OpenBSD-Commit-ID: 2313761a3a84ccfe032874d638d3c363e0f14026
2019-11-13 08:48:48 +11:00
markus@openbsd.org
7c096c456f
upstream: implement ssh-ed25519-sk verification; ok djm@
...
OpenBSD-Commit-ID: 37906d93948a1e3d237c20e713d6ca8fbf7d13f6
2019-11-13 08:48:48 +11:00
Damien Miller
ba5fb02bed
ignore ssh-sk-helper
2019-11-13 08:48:30 +11:00
deraadt@openbsd.org
78c9649894
upstream: skip demanding -fstack-protector-all on hppa. we never
...
wrote a stack protector for reverse-stack architectures, and i don't think
anyone else did either. a warning per compiled file is just annoying.
OpenBSD-Commit-ID: 14806a59353152f843eb349e618abbf6f4dd3ada
2019-11-13 08:47:31 +11:00
djm@openbsd.org
aa1c9e3778
upstream: duplicate 'x' character in getopt(3) optstring
...
OpenBSD-Commit-ID: 64c81caa0cb5798de3621eca16b7dd22e5d0d8a7
2019-11-11 14:25:46 +11:00
naddy@openbsd.org
aa4c640dc3
upstream: Fill in missing man page bits for U2F security key support:
...
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's
SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable,
and ssh-keygen's new -w and -x options.
Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal
substitutions.
ok djm@
OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
2019-11-08 14:09:32 +11:00
Darren Tucker
b236b27d6d
Put sftp-realpath in libssh.a
...
and remove it from the specific binary targets.
2019-11-03 00:10:43 +11:00
Darren Tucker
382c18c20c
statfs might be defined in sys/mount.h.
...
eg on old NetBSDs.
2019-11-03 00:09:21 +11:00
Darren Tucker
03ffc0951c
Put stdint.h inside ifdef HAVE_STDINT_H.
2019-11-02 23:25:01 +11:00
Darren Tucker
19cb64c4b4
Rebuild .depend.
2019-11-02 22:46:22 +11:00
Darren Tucker
3611bfe89b
Define __BSD_VISIBLE in fnmatch.h.
...
.. since we use symbols defined only when it is when using the compat
fnmatch.
2019-11-02 22:46:22 +11:00
Darren Tucker
f5cc5816aa
Only enable U2F if OpenSSL supports ECC.
...
This requires moving the U2F bits to below the OpenSSL parts so we have
the required information. ok djm@
2019-11-02 16:39:38 +11:00
naddy@openbsd.org
ad38406fc9
upstream: fix miscellaneous text problems; ok djm@
...
OpenBSD-Commit-ID: 0cbf411a14d8fa0b269b69cbb1b4fc0ca699fe9f
2019-11-02 11:12:50 +11:00
Darren Tucker
9cac151c2d
Add flags needed to build and work on Ultrix.
2019-11-01 18:27:37 +11:00
Darren Tucker
0e3c5bc509
Hook up fnmatch for platforms that don't have it.
2019-11-01 18:27:37 +11:00
Darren Tucker
b56dbfd9d9
Add missing bracket in realpath macro.
2019-11-01 18:27:37 +11:00