345be6091b
upstream: Remove now-obsolete config options from example in
...
comment. Patch from openbsd@academicsolutions.ch , ok djm@
OpenBSD-Commit-ID: 35862beb0927b1cb0af476ec23cc07f6e3006101
2019-12-20 14:25:08 +11:00
ae024b22c4
upstream: Document that security key-hosted keys can act as host
...
keys.
Update the list of default host key algorithms in ssh_config.5 and
sshd_config.5. Copy the description of the SecurityKeyProvider
option to sshd_config.5.
ok jmc@
OpenBSD-Commit-ID: edadf3566ab5e94582df4377fee3b8b702c7eca0
2019-12-20 14:25:08 +11:00
bc2dc091e0
upstream: "Forward security" -> "Forward secrecy" since that's the
...
correct term. Add "MAC" since we use that acronym in other man pages. ok
naddy@
OpenBSD-Commit-ID: c35529e511788586725fb63bda3459e10738c5f5
2019-12-20 14:25:08 +11:00
e905f7260d
upstream: cut obsolete lists of crypto algorithms from outline of
...
how SSH works ok markus@ jmc@
OpenBSD-Commit-ID: 8e34973f232ab48c4d4f5d07df48d501708b9160
2019-12-20 14:25:08 +11:00
f65cf1163f
upstream: strdup may return NULL if memory allocation fails. Use
...
the safer xstrdup which fatals on allocation failures.
ok markus@
OpenBSD-Commit-ID: 8b608d387120630753cbcb8110e0b019c0c9a0d0
2019-12-20 14:25:08 +11:00
57634bfc57
upstream: sort sk-* methods behind their plain key methods cousins
...
for now
OpenBSD-Commit-ID: c97e22c2b28c0d12ee389b8b4ef5f2ada7908828
2019-12-20 14:23:54 +11:00
b8df8fe920
Mac OS X has PAM too.
2019-12-18 09:14:45 +11:00
bf8de8b825
Show portable tarball pattern in example.
2019-12-18 09:14:45 +11:00
a19ef613e9
OpenSSL is now optional.
2019-12-18 09:14:45 +11:00
1a7217ac06
upstream: adapt to ssh-sk-client change
...
OpenBSD-Regress-ID: 40481999a5928d635ab2e5b029e8239c112005ea
2019-12-16 14:20:35 +11:00
a7fc1df246
upstream: it's no longer possible to disable privilege separation
...
in sshd, so don't double the tests' work by trying both off/on
OpenBSD-Regress-ID: d366665466dbd09e9b707305da884be3e7619c68
2019-12-16 14:20:35 +11:00
3145d38ea0
upstream: don't treat HostKeyAgent=none as a path either; avoids
...
spurious warnings from the cfgparse regress test
OpenBSD-Commit-ID: ba49ea7a5c92b8a16cb9c2e975dbb163853afc54
2019-12-16 14:19:41 +11:00
747e25192f
upstream: do not attempt to find an absolute path for sshd_config
...
SecurityKeyProvider=internal - unbreaks cfgparse regress test
OpenBSD-Commit-ID: d2ddcf525c0dc3c8339522360c10b3c70f1fd641
2019-12-16 14:19:41 +11:00
9b6e30b96b
upstream: allow ssh-keyscan to find security key hostkeys
...
OpenBSD-Commit-ID: 1fe822a7f714df19a7e7184e3a3bbfbf546811d3
2019-12-16 14:19:41 +11:00
56584cce75
upstream: allow security keys to act as host keys as well as user
...
keys.
Previously we didn't do this because we didn't want to expose
the attack surface presented by USB and FIDO protocol handling,
but now that this is insulated behind ssh-sk-helper there is
less risk.
ok markus@
OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
2019-12-16 14:19:41 +11:00
5af6fd5461
Allow clock_nanosleep_time64 in seccomp sandbox.
...
Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com .
2019-12-16 13:55:56 +11:00
fff8ff6dd5
Put SK ECDSA bits inside ifdef OPENSSL_HAS_ECC.
...
Fixes build when linking against OpenSSLs built with no-ec.
2019-12-15 18:27:02 +11:00
9244990ecd
remove a bunch of ENABLE_SK #ifdefs
...
The ssh-sk-helper client API gives us a nice place to disable
security key support when it is wasn't enabled at compile time,
so we don't need to check everywere.
Also, verification of security key signatures can remain enabled
all the time - it has no additional dependencies. So sshd can
accept security key pubkeys in authorized_keys, etc regardless of
the host's support for dlopen, etc.
2019-12-14 09:21:46 +11:00
a33ab1688b
ssh-sk-client.c needs includes.h
2019-12-14 09:15:06 +11:00
633778d567
only link ssh-sk-helper against libfido2
2019-12-14 08:40:58 +11:00
7b47b40b17
adapt Makefile to ssh-sk-client everywhere
2019-12-14 08:40:58 +11:00
f45f3a8a12
fixup
2019-12-14 07:53:11 +11:00
d214347667
upstream: actually commit the ssh-sk-helper client code; ok markus
...
OpenBSD-Commit-ID: fd2ea776a5bbbf4d452989d3c3054cf25a5e0589
2019-12-14 07:21:27 +11:00
611073fb40
upstream: perform security key enrollment via ssh-sk-helper too.
...
This means that ssh-keygen no longer needs to link against ssh-sk-helper, and
only ssh-sk-helper needs libfido2 and /dev/uhid* access;
feedback & ok markus@
OpenBSD-Commit-ID: 9464233fab95708d2ff059f8bee29c0d1f270800
2019-12-14 07:20:28 +11:00
612b1dd1ec
upstream: allow sshbuf_put_stringb(buf, NULL); ok markus@
...
OpenBSD-Commit-ID: 91482c1ada9adb283165d48dafbb88ae91c657bd
2019-12-14 07:17:44 +11:00
b52ec0ba39
upstream: use ssh-sk-helper for all security key signing operations
...
This extracts and refactors the client interface for ssh-sk-helper
from ssh-agent and generalises it for use by the other programs.
This means that most OpenSSH tools no longer need to link against
libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
OpenBSD-Commit-ID: 1abcd3aea9a7460eccfbf8ca154cdfa62f1dc93f
2019-12-14 07:17:44 +11:00
c33d46868c
upstream: add a note about the 'extensions' field in the signed
...
object
OpenBSD-Commit-ID: 67c01e0565b258e0818c1ccfe1f1aeaf9a0d4c7b
2019-12-14 07:09:23 +11:00
a62f4e1960
upstream: some more corrections for documentation problems spotted
...
by Ron Frederick
document certifiate private key format
correct flags type for sk-ssh-ed25519@openssh.com keys
OpenBSD-Commit-ID: fc4e9a1ed7f9f7f9dd83e2e2c59327912e933e74
2019-12-11 19:11:07 +11:00
22d4beb796
upstream: loading security keys into ssh-agent used the extension
...
constraint "sk-provider@openssh.com", not "sk@openssh.com"; spotted by Ron
Frederick
OpenBSD-Commit-ID: dbfba09edbe023abadd5f59c1492df9073b0e51d
2019-12-11 19:11:07 +11:00
75f7f22a43
upstream: add security key types to list of keys allowed to act as
...
CAs; spotted by Ron Frederick
OpenBSD-Commit-ID: 9bb0dfff927b4f7aa70679f983f84c69d45656c3
2019-12-11 19:11:07 +11:00
516605f2d5
upstream: when acting as a CA and using a security key as the CA
...
key, remind the user to touch they key to authorise the signature.
OpenBSD-Commit-ID: fe58733edd367362f9766b526a8b56827cc439c1
2019-12-11 19:08:22 +11:00
c4036fe75e
upstream: chop some unnecessary and confusing verbiage from the
...
security key protocol description; feedback from Ron Frederick
OpenBSD-Commit-ID: 048c9483027fbf9c995e5a51b3ac502989085a42
2019-12-11 19:08:22 +11:00
59175a350f
upstream: fix setting of $SSH_ASKPASS_PROMPT - it shouldn't be set
...
when asking passphrases, only when confirming the use of a key (i.e. for
ssh-agent keys added with "ssh-add -c keyfile")
OpenBSD-Commit-ID: 6643c82960d9427d5972eb702c917b3b838ecf89
2019-12-11 19:08:22 +11:00
36eaa356d3
upstream: bring the __func__
...
OpenBSD-Commit-ID: 71a3a45b0fe1b8f680ff95cf264aa81f7abbff67
2019-12-11 19:08:22 +11:00
483cc723d1
upstream: tweak the Nd lines for a bit of consistency; ok markus
...
OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
2019-12-11 19:08:22 +11:00
afffd31036
Check if memmem is declared in system headers.
...
If the system (or one of the dependencies) implements memmem but does
not define the header, we would not declare it either resulting in
compiler warnings. Check for declaration explicitly. bz#3102.
2019-12-11 13:22:06 +11:00
ad8cd42079
Sort depends.
2019-12-11 13:13:14 +11:00
5e3abff39e
Sort .depend when rebuilding.
...
This makes diffs more stable between makedepend implementations.
2019-12-11 13:12:59 +11:00
5df9d1f5c0
Update depend to include sk files.
2019-12-11 13:06:43 +11:00
9a967c5bbf
Describe how to build libcrypto as PIC.
...
While there, move the OpenSSL 1.1.0g caveat closer to the other version
information.
2019-12-09 20:25:26 +11:00
b66fa5da25
Recommend running LibreSSL or OpenSSL self-tests.
2019-12-09 17:23:22 +11:00
fa7924008e
Wrap ECC specific bits in ifdef.
...
Fixes tests when built against an OpenSSL configured with no-ec.
2019-12-06 14:17:26 +11:00
2ff822eabd
Wrap sha2.h include in ifdef.
...
Fixes build --without-openssl on at least Fedora.
2019-11-29 20:21:36 +11:00
443848155f
compile sk-dummy.so with no-PIE version of LDFLAGS
...
This lets it pick up the -L path to libcrypto for example.
2019-11-29 15:10:21 +11:00
37f5b5346e
includes.h for sk-dummy.c, dummy
2019-11-29 14:48:46 +11:00
b218055e59
(yet) another x-platform fix for sk-dummy.so
...
Check for -fPIC support from compiler
Compile libopenbsd-compat -fPIC
Don't mix -fPIE and -fPIC when compiling
2019-11-29 12:32:23 +11:00
0dedb703ad
needs includes.h for WITH_OPENSSL
2019-11-29 11:53:57 +11:00
ef3853bb94
another attempt at sk-dummy.so working x-platform
...
include a fatal() implementation to satisfy libopenbsd-compat
clean up .lo and .so files
.gitignore .lo and .so files
2019-11-29 11:52:23 +11:00
d46ac56f1c
upstream: lots of dependencies go away here with ed25519 no longer
...
needing the ssh_digest API.
OpenBSD-Regress-ID: 785847ec78cb580d141e29abce351a436d6b5d49
2019-11-29 11:19:48 +11:00
7404b81f25
upstream: perform hashing directly in crypto_hash_sha512() using
...
libcrypto or libc SHA512 functions rather than calling ssh_digest_memory();
avoids many dependencies on ssh code that complicate standalone use of
ed25519, as we want to do in sk-dummy.so
OpenBSD-Commit-ID: 5a3c37593d3ba7add037b587cec44aaea088496d
2019-11-29 11:17:39 +11:00
dtucker@openbsd.org
naddy@openbsd.org
tobhe@openbsd.org
djm@openbsd.org
Darren Tucker
Damien Miller
jmc@openbsd.org