tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,691 Commits 6 Branches 20 Tags 98 MiB
Commit Graph

196 Commits

Author SHA1 Message Date
Darren Tucker 4230a5dc30 - djm@cvs.openbsd.org 2008/07/02 12:36:39 
[auth2-none.c auth2.c]
     Make protocol 2 MaxAuthTries behaviour a little more sensible:
     Check whether client has exceeded MaxAuthTries before running
     an authentication method and skip it if they have, previously it
     would always allow one try (for "none" auth).
     Preincrement failure count before post-auth test - previously this
     checked and postincremented, also to allow one "none" try.
     Together, these two changes always count the "none" auth method
     which could be skipped by a malicious client (e.g. an SSH worm)
     to get an extra attempt at a real auth method. They also make
     MaxAuthTries=0 a useful way to block users entirely (esp. in a
     sshd_config Match block).
     Also, move sending of any preauth banner from "none" auth method
     to the first call to input_userauth_request(), so worms that skip
     the "none" method get to see it too.
 2008-07-02 22:56:09 +10:00
Damien Miller b8c9807628 - dtucker@cvs.openbsd.org 2007/09/29 00:25:51 
[auth2.c]
     Remove unused prototype.  ok djm@
 2007-10-26 14:26:15 +10:00
Darren Tucker 208ac57c30 - stevesk@cvs.openbsd.org 2007/04/14 22:01:58 
[auth2.c]
     remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
 2007-05-20 14:58:41 +10:00
Darren Tucker 1d75f22c5d - dtucker@cvs.openbsd.org 2007/03/01 10:28:02 
[auth2.c sshd_config.5 servconf.c]
     Remove ChallengeResponseAuthentication support inside a Match
     block as its interaction with KbdInteractive makes it difficult to
     support.  Also, relocate the CR/kbdint option special-case code into
     servconf.  "please commit" djm@, ok markus@ for the relocation.
 2007-03-01 21:31:28 +11:00
Damien Miller d783435315 - deraadt@cvs.openbsd.org 2006/08/03 03:34:42 
[OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
     [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
     [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
     [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
     [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
     [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
     [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
     [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
     [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
     [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
     [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
     [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
     [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
     [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
     [serverloop.c session.c session.h sftp-client.c sftp-common.c]
     [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
     [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
     [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
     [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
     [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
     [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
     almost entirely get rid of the culture of ".h files that include .h files"
     ok djm, sort of ok stevesk
     makes the pain stop in one easy step
     NB. portable commit contains everything *except* removing includes.h, as
     that will take a fair bit more work as we move headers that are required
     for portability workarounds to defines.h. (also, this step wasn't "easy")
 2006-08-05 12:39:39 +10:00
Damien Miller e3476ed03b - stevesk@cvs.openbsd.org 2006/07/22 20:48:23 
[atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c]
     [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c]
     [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c]
     [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c]
     [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c]
     [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c]
     [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c]
     [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c]
     [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c]
     [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c]
     [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
     [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c]
     [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c]
     move #include <string.h> out of includes.h
 2006-07-24 14:13:33 +10:00
Damien Miller 9f2abc47eb - stevesk@cvs.openbsd.org 2006/07/06 16:03:53 
[auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c]
     [auth-rhosts.c auth-rsa.c auth.c auth.h auth2-hostbased.c]
     [auth2-pubkey.c auth2.c includes.h misc.c misc.h monitor.c]
     [monitor_wrap.c monitor_wrap.h scp.c serverloop.c session.c]
     [session.h sftp-common.c ssh-add.c ssh-keygen.c ssh-keysign.c]
     [ssh.c sshconnect.c sshconnect.h sshd.c sshpty.c sshpty.h uidswap.c]
     [uidswap.h]
     move #include <pwd.h> out of includes.h; ok markus@
 2006-07-10 20:53:08 +10:00
Damien Miller 57c30117c1 - djm@cvs.openbsd.org 2006/03/25 13:17:03 
[atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c]
     [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c]
     [auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
     [auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c]
     [buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c]
     [cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c]
     [deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c]
     [kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c]
     [mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c]
     [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c]
     [readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c]
     [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c]
     [sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
     [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
     [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
     [uidswap.c uuencode.c xmalloc.c]
     Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
     Theo nuked - our scripts to sync -portable need them in the files
 2006-03-26 14:24:48 +11:00
Damien Miller 91d4b12fcb - deraadt@cvs.openbsd.org 2006/03/20 18:17:20 
[auth1.c auth2.c sshd.c]
     sprinkle some ARGSUSED for table driven functions (which sometimes
     must ignore their args)
 2006-03-26 14:05:20 +11:00
Damien Miller b0fb6872ed - deraadt@cvs.openbsd.org 2006/03/19 18:51:18 
[atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c]
     [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c]
     [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c]
     [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c]
     [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c]
     [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c]
     [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
     [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c]
     [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c]
     [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c]
     [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c]
     [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c]
     [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c]
     [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c]
     [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c]
     [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
     [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
     [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
     [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c]
     [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c]
     [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c]
     [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c]
     [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c]
     RCSID() can die
 2006-03-26 00:03:21 +11:00
Darren Tucker d3eff2bfa5 - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove 
duplicate call.  ok djm@
 2005-09-24 12:43:51 +10:00
Damien Miller b6f72f5294 -(djm) [audit.c auth1.c auth2.c entropy.c loginrec.c serverloop.c] 
[ssh-rand-helper.c] fix portable 2nd level indents at 4 spaces too
 2005-07-17 17:26:43 +10:00
Darren Tucker 2e0cf0dca2 - (dtucker) [audit.c audit.h auth.c auth1.c auth2.c loginrec.c monitor.c 
monitor_wrap.c monitor_wrap.h session.c sshd.c]: Prepend all of the audit
   defines and enums with SSH_ to prevent namespace collisions on some
   platforms (eg AIX).
 2005-02-08 21:52:47 +11:00
Darren Tucker 269a1ea1c8 - (dtucker) [Makefile.in auth.c auth.h auth1.c auth2.c loginrec.c monitor.c 
monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug #125:
   (first stage) Add audit instrumentation to sshd, currently disabled by
   default.  with suggestions from and djm@
 2005-02-03 00:20:53 +11:00
Darren Tucker c13866719f - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is 
subsequently denied by the PAM auth stack, send the PAM message to the
   user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
   ok djm@
 2004-12-03 14:33:47 +11:00
Darren Tucker 77fc29eeb3 - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c] 
Bug #892: Send messages from failing PAM account modules to the client via
   SSH2_MSG_USERAUTH_BANNER messages.  Note that this will not happen with
   SSH2 kbdint authentication, which need to be dealt with separately.  ok djm@
 2004-09-11 23:07:03 +10:00
Darren Tucker 5cb30ad2ec - markus@cvs.openbsd.org 2004/07/28 09:40:29 
[auth.c auth1.c auth2.c cipher.c cipher.h key.c session.c ssh.c
     sshconnect1.c]
     more s/illegal/invalid/
 2004-08-12 22:40:24 +10:00
Damien Miller 30d1f84911 - djm@cvs.openbsd.org 2004/07/21 10:33:31 
[auth1.c auth2.c]
     bz#899: Don't display invalid usernames in setproctitle
 2004-07-21 20:48:53 +10:00
Darren Tucker 89413dbafa - dtucker@cvs.openbsd.org 2004/05/23 23:59:53 
[auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5]
     Add MaxAuthTries sshd config option; ok markus@
 2004-05-24 10:36:23 +10:00
Darren Tucker dbf7a74ee5 - (dtucker) [auth-pam.c auth-pam.h auth1.c auth2.c monitor.c monitor_wrap.c 
monitor_wrap.h] Bug #808: Ensure force_pwchange is correctly initialized
   even if keyboard-interactive is not used by the client.  Prevents segfaults
   in some cases where the user's password is expired (note this is not
   considered a security exposure).  ok djm@
 2004-03-08 23:04:06 +11:00
Damien Miller 3e3b5145e5 - djm@cvs.openbsd.org 2003/11/04 08:54:09 
[auth1.c auth2.c auth2-pubkey.c auth.h auth-krb5.c auth-passwd.c]
     [auth-rhosts.c auth-rh-rsa.c auth-rsa.c monitor.c serverloop.c]
     [session.c]
     standardise arguments to auth methods - they should all take authctxt.
     check authctxt->valid rather then pw != NULL; ok markus@
 2003-11-17 21:13:40 +11:00
Darren Tucker 3e33cecf71 - markus@cvs.openbsd.org 2003/09/23 20:17:11 
[Makefile.in auth1.c auth2.c auth.c auth.h auth-krb5.c canohost.c
     cleanup.c clientloop.c fatal.c gss-serv.c log.c log.h monitor.c monitor.h
     monitor_wrap.c monitor_wrap.h packet.c serverloop.c session.c session.h
     ssh-agent.c sshd.c]
     replace fatal_cleanup() and linked list of fatal callbacks with static
     cleanup_exit() function.  re-refine cleanup_exit() where appropriate,
     allocate sshd's authctxt eary to allow simpler cleanup in sshd.
     tested by many, ok deraadt@
 2003-10-02 16:12:36 +10:00
Damien Miller 856f0be669 - markus@cvs.openbsd.org 2003/08/26 09:58:43 
[auth-passwd.c auth.c auth.h auth1.c auth2-none.c auth2-passwd.c]
     [auth2.c monitor.c]
     fix passwd auth for 'username leaks via timing'; with djm@, original
     patches from solar
 2003-09-03 07:32:45 +10:00
Darren Tucker 1e66a39e40 - markus@cvs.openbsd.org 2003/08/22 13:22:27 
[auth2.c] (auth2-krb5.c removed)
     nuke "kerberos-2@ssh.com"
 2003-08-26 12:08:15 +10:00
Darren Tucker 0efd155c3c - markus@cvs.openbsd.org 2003/08/22 10:56:09 
[auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c
     gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c
     readconf.h servconf.c servconf.h session.c session.h ssh-gss.h
     ssh_config.5 sshconnect2.c sshd_config sshd_config.5]
     support GSS API user authentication; patches from Simon Wilkinson,
     stripped down and tested by Jakob and myself.
 2003-08-26 11:49:55 +10:00
Damien Miller 1f499fd368 - (djm) Bug #564: Perform PAM account checks for all authentications when 
UsePAM=yes; ok dtucker
 2003-08-25 13:08:49 +10:00
Darren Tucker 502d384b74 - markus@cvs.openbsd.org 2003/06/24 08:23:46 
[auth2-hostbased.c auth2-pubkey.c auth2.c channels.c key.c key.h
      monitor.c packet.c packet.h serverloop.c sshconnect2.c sshd.c]
     int -> u_int; ok djm@, deraadt@, mouring@
 2003-06-28 12:38:01 +10:00
Damien Miller 4e448a31ae - (djm) Add new UsePAM configuration directive to allow runtime control 
over usage of PAM. This allows non-root use of sshd when built with
   --with-pam
 2003-05-14 15:11:48 +10:00
Damien Miller 3ab496b3dd - markus@cvs.openbsd.org 2003/05/14 02:15:47 
[auth2.c monitor.c sshconnect2.c auth2-krb5.c]
     implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@
     server interops with commercial client; ok jakob@ djm@
 2003-05-14 13:47:37 +10:00
Damien Miller d558092522 - (djm) RCSID sync w/ OpenBSD 2003-05-14 13:40:06 +10:00
Damien Miller 1a27a1ee8c - (djm) Bug #117: Don't lie to PAM about username 2003-05-14 10:27:09 +10:00
Darren Tucker 97363a8b24 - (dtucker) Move handling of bad password authentications into a platform 
specific record_failed_login() function (affects AIX & Unicos).
 2003-05-02 23:42:25 +10:00
Ben Lindstrom f50ad1fd04 - (bal) auth2.c same changed as above. 2003-04-27 18:44:31 +00:00
Damien Miller 996acd2476 *** empty log message *** 2003-04-09 20:59:48 +10:00
Damien Miller 556f9315a5 - markus@cvs.openbsd.org 2003/02/06 21:22:43 
[auth1.c auth2.c]
     undo broken fix for #387, fixes #486
 2003-02-24 11:59:26 +11:00
Tim Rice 81ed518b9b Cray fixes (bug 367) based on patch from Wendy Palm @ cray. 
This does not include the deattack.c fixes.
 2002-09-25 17:38:46 -07:00
Damien Miller de6f2de8ad - markus@cvs.openbsd.org 2002/08/22 21:33:58 
[auth1.c auth2.c]
     auth_root_allowed() is handled by the monitor in the privsep case,
     so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
 2002-09-04 16:37:26 +10:00
Ben Lindstrom e06eb68226 - (bal) Failed password attempts don't increment counter on AIX. Bug #145 2002-07-04 00:27:21 +00:00
Ben Lindstrom 5a9d0eaba6 - deraadt@cvs.openbsd.org 2002/06/30 21:54:16 
[auth2.c session.c sshd.c]
     lint asks that we use names that do not overlap
 2002-07-04 00:12:53 +00:00
Damien Miller 43cecc1392 some xxx's for future privsep cleanup 2002-06-21 16:21:11 +10:00
Ben Lindstrom b85ab30a6e - (bal) Refixed auth2.c. It was never fully commited while spliting out 
authentication to different files.
 2002-06-07 02:05:25 +00:00
Ben Lindstrom 511bb24c5b - markus@cvs.openbsd.org 2002/05/31 11:35:15 
[auth.h auth2.c]
     move Authmethod definitons to per-method file.

NOTE: The rest of this patch is with the import of the auth2-*.c files.
 2002-06-06 20:52:37 +00:00
Ben Lindstrom 855bf3ac3c - markus@cvs.openbsd.org 2002/05/25 18:51:07 
[auth.h auth2.c auth2-hostbased.c auth2-kbdint.c auth2-none.c
      auth2-passwd.c auth2-pubkey.c Makefile.in]
     split auth2.c into one file per method; ok provos@/deraadt@

NOTE: Merged back noticable cygwin and pam stuff.  May need review to
ensure I did not miss anything.
 2002-06-06 20:27:55 +00:00
Ben Lindstrom 58d4dafeb1 - itojun@cvs.openbsd.org 2002/05/13 02:37:39 
[auth-skey.c auth2.c]
     less warnings.  skey_{respond,query} are public (in auth.h)
 2002-05-15 16:14:36 +00:00
Damien Miller 5ad9fd9820 - (djm) Bug #231: UsePrivilegeSeparation turns off Banner. 2002-05-13 11:07:41 +10:00
Damien Miller ffc868ff83 - (djm) Disable PAM kbd-int auth if privsep is turned on (it doesn't work) 2002-05-09 15:59:13 +10:00
Damien Miller 7941855f09 - (djm) Make privsep work with PAM (still experimental) 2002-04-23 20:28:48 +10:00
Kevin Steves e683e76439 - (stevesk) [auth-pam.c auth-pam.h auth-passwd.c auth-sia.c auth-sia.h 
auth1.c auth2.c] PAM, OSF_SIA password auth cleanup; from djm.
 2002-04-04 19:02:28 +00:00
Kevin Steves 205cc1ef46 - (stevesk) [auth2.c] merge cleanup/sync 2002-03-22 20:43:05 +00:00
Ben Lindstrom 7ebb635d81 - markus@cvs.openbsd.org 2002/03/19 14:27:39 
[auth.c auth1.c auth2.c]
     make getpwnamallow() allways call pwcopy()
 2002-03-22 03:04:08 +00:00
Ben Lindstrom 7a2073c50b - provos@cvs.openbsd.org 2002/03/18 17:50:31 
[auth-bsdauth.c auth-options.c auth-rh-rsa.c auth-rsa.c auth-skey.c auth.h
      auth1.c auth2-chall.c auth2.c kex.c kex.h kexdh.c kexgex.c servconf.c
      session.h servconf.h serverloop.c session.c sshd.c]
     integrate privilege separated openssh; its turned off by default for now.
     work done by me and markus@

applied, but outside of ensure that smaller code bits migrated with
their owners.. no work was tried to 'fix' it to work. =)  Later project!
 2002-03-22 02:30:41 +00:00
Ben Lindstrom 73ab9ba45d - provos@cvs.openbsd.org 2002/03/18 01:12:14 
[auth.h auth1.c auth2.c sshd.c]
     have the authentication functions return the authentication context
     and then do_authenticated; okay millert@
 2002-03-22 01:27:35 +00:00
Ben Lindstrom 2ae18f40a7 - provos@cvs.openbsd.org 2002/03/17 20:25:56 
[auth.c auth.h auth1.c auth2.c]
     getpwnamallow returns struct passwd * only if user valid; okay markus@
 2002-03-22 01:24:38 +00:00
Damien Miller 3a5b023330 Stupid djm commits experimental code to head instead of branch 
revert
 2002-03-13 13:19:42 +11:00
Damien Miller 646e7cf3d7 Import of Niels Provos' 20020312 ssh-complete.diff 
PAM, Cygwin and OSF SIA will not work for sure
 2002-03-13 12:47:54 +11:00
Ben Lindstrom 90fd814f90 - markus@cvs.openbsd.org 2002/02/24 19:14:59 
[auth2.c authfd.c authfd.h authfile.c kexdh.c kexgex.c key.c key.h
      ssh-dss.c ssh-dss.h ssh-keygen.c ssh-rsa.c ssh-rsa.h sshconnect2.c]
     signed vs. unsigned: make size arguments u_int, ok stevesk@
 2002-02-26 18:09:42 +00:00
Damien Miller f3451a2181 - (djm) Cleanup after sync: 
- :%s/reverse_mapping_check/verify_reverse_mapping/g
 2002-02-05 12:40:46 +11:00
Damien Miller 9b74bfc5be - markus@cvs.openbsd.org 2002/02/04 11:58:10 
[auth2.c]
     cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
 2002-02-05 12:26:03 +11:00
Damien Miller c5d8635d6a - markus@cvs.openbsd.org 2002/01/29 14:32:03 
[auth2.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c canohost.c servconf.c servconf.h session.c sshd.8 sshd_config]
     s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
 2002-02-05 12:13:41 +11:00
Damien Miller 0e3b87279c - markus@cvs.openbsd.org 2002/01/13 17:57:37 
[auth2.c auth2-chall.c compat.c sshconnect2.c sshd.c]
     use buffer API and avoid static strings of fixed size; ok provos@/mouring@
 2002-01-22 23:26:38 +11:00
Damien Miller 7d05339c70 - markus@cvs.openbsd.org 2002/01/11 13:39:36 
[auth2.c dispatch.c dispatch.h kex.c]
     a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED'
     dispatch_range(): set handler for a ranges message types
     use dispatch_protocol_ignore() for authentication requests after
     	successful authentication (the drafts requirement).
     serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
 2002-01-22 23:24:13 +11:00
Damien Miller 630d6f4479 - markus@cvs.openbsd.org 2001/12/28 15:06:00 
[auth2.c auth2-chall.c channels.c channels.h clientloop.c dispatch.c dispatch.h kex.c kex.h serverloop.c ssh.c sshconnect2.c]
     remove plen from the dispatch fn. it's no longer used.
 2002-01-22 23:17:30 +11:00
Damien Miller 48b03fc546 - markus@cvs.openbsd.org 2001/12/27 20:39:58 
[auth1.c auth-rsa.c channels.c clientloop.c packet.c packet.h serverloop.c session.c ssh.c sshconnect1.c sshd.c ttymodes.c]
     get rid of packet_integrity_check, use packet_done() instead.
 2002-01-22 23:11:40 +11:00
Damien Miller 0dea79d6b6 - (djm) Apply Cygwin pointer deref fix from Corinna Vinschen 
<vinschen@redhat.com> Could be abused to guess valid usernames
 2001-12-29 14:08:28 +11:00
Damien Miller 278f907a2d - djm@cvs.openbsd.org 2001/12/20 22:50:24 
[auth2.c auth2-chall.c channels.c channels.h clientloop.c dispatch.c]
     [dispatch.h kex.c kex.h packet.c packet.h serverloop.c ssh.c]
     [sshconnect2.c]
     Conformance fix: we should send failing packet sequence number when
     responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by
     yakk@yakk.dot.net; ok markus@
 2001-12-21 15:00:19 +11:00
Damien Miller 9f0f5c64bc - deraadt@cvs.openbsd.org 2001/12/19 07:18:56 
[auth1.c auth2.c auth2-chall.c auth-bsdauth.c auth.c authfile.c auth.h]
     [auth-krb4.c auth-rhosts.c auth-skey.c bufaux.c canohost.c channels.c]
     [cipher.c clientloop.c compat.c compress.c deattack.c key.c log.c mac.c]
     [match.c misc.c nchan.c packet.c readconf.c rijndael.c rijndael.h scard.c]
     [servconf.c servconf.h serverloop.c session.c sftp.c sftp-client.c]
     [sftp-glob.c sftp-int.c sftp-server.c ssh-add.c ssh-agent.c ssh.c]
     [sshconnect1.c sshconnect2.c sshconnect.c sshd.8 sshd.c sshd_config]
     [ssh-keygen.c sshlogin.c sshpty.c sshtty.c ttymodes.c uidswap.c]
     basic KNF done while i was looking for something else
 2001-12-21 14:45:46 +11:00
Damien Miller da9edcabf8 - jakob@cvs.openbsd.org 2001/12/18 10:05:15 
[auth2.c]
     log fingerprint on successful public key authentication; ok markus@
 2001-12-21 12:48:54 +11:00
Damien Miller ee11625d43 - markus@cvs.openbsd.org 2001/12/09 18:45:56 
[auth2.c auth2-chall.c auth.h]
     add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions,
     fixes memleak.
 2001-12-21 12:42:34 +11:00
Ben Lindstrom 3c36bb29ca - itojun@cvs.openbsd.org 2001/12/05 03:56:39 
[auth1.c auth2.c canohost.c channels.c deattack.c packet.c scp.c
      sshconnect2.c]
     make it compile with more strict prototype checking
 2001-12-06 17:55:26 +00:00
Ben Lindstrom 65366a8c76 - stevesk@cvs.openbsd.org 2001/11/17 19:14:34 
[auth2.c auth.c readconf.c servconf.c ssh-agent.c ssh-keygen.c]
     enum/int type cleanup where it made sense to do so; ok markus@
 2001-12-06 16:32:47 +00:00
Damien Miller e49d0966b5 - (djm) AIX login{success,failed} changes. Move loginsuccess call to 
do_authenticated. Call loginfailed for protocol 2 failures > MAX like
   we do for protocol 1. Reports from Ralf Wenk <wera0003@fh-karlsruhe.de>,
   K.Wolkersdorfer@fz-juelich.de and others
 2001-11-13 23:46:18 +11:00
Damien Miller 6fd5b391f0 - markus@cvs.openbsd.org 2001/11/07 22:41:51 
[auth2.c auth-rh-rsa.c]
     unused includes
 2001-11-12 11:04:28 +11:00
Ben Lindstrom bdfb4df08c - markus@cvs.openbsd.org 2001/09/27 15:31:17 
[auth2.c auth2-chall.c sshconnect1.c]
     typos; from solar
 2001-10-03 17:12:43 +00:00
Ben Lindstrom 1bc3bdb1c2 - markus@cvs.openbsd.org 2001/09/20 13:46:48 
[auth2.c]
     key_read returns now -1 or 1
 2001-09-20 23:11:26 +00:00
Ben Lindstrom 940fb86c9a - stevesk@cvs.openbsd.org 2001/07/23 18:14:58 
[auth2.c auth-rsa.c]
     use %lu; ok markus@
 2001-08-06 21:01:49 +00:00
Ben Lindstrom 90279d80f5 - markus@cvs.openbsd.org 2001/06/26 05:50:11 
[auth2.c]
     new interface for secure_filename()
 2001-07-04 03:56:56 +00:00
Ben Lindstrom 7907382299 - stevesk@cvs.openbsd.org 2001/06/25 20:26:37 
[auth2.c sshconnect2.c]
     prototype cleanup; ok markus@
 2001-07-04 03:42:30 +00:00
Ben Lindstrom bba81213b9 - itojun@cvs.openbsd.org 2001/06/23 15:12:20 
[auth1.c auth2.c auth2-chall.c authfd.c authfile.c auth-rhosts.c
      canohost.c channels.c cipher.c clientloop.c deattack.c dh.c
      hostfile.c kex.c kexdh.c kexgex.c key.c nchan.c packet.c radix.c
      readpass.c scp.c servconf.c serverloop.c session.c sftp.c
      sftp-client.c sftp-glob.c sftp-int.c sftp-server.c ssh-add.c
      ssh-agent.c ssh.c sshconnect1.c sshconnect2.c sshconnect.c sshd.c
      ssh-keygen.c ssh-keyscan.c]
     more strict prototypes.  raise warning level in Makefile.inc.
     markus ok'ed
     TODO; cleanup headers
 2001-06-25 05:01:22 +00:00
Ben Lindstrom a4789ef878 - markus@cvs.openbsd.org 2001/06/23 03:04:42 
[auth2.c auth-rh-rsa.c]
     restore correct ignore_user_known_hosts logic.
 2001-06-25 04:40:49 +00:00
Ben Lindstrom 83647ce474 - markus@cvs.openbsd.org 2001/06/23 00:20:57 
[auth2.c auth.c auth.h auth-rh-rsa.c]
     *known_hosts2 is obsolete for hostbased authentication and
     only used for backward compat. merge ssh1/2 hostkey check
     and move it to auth.c
 2001-06-25 04:30:16 +00:00
Ben Lindstrom f96704d4ef - markus@cvs.openbsd.org 2001/06/22 21:55:49 
[auth2.c auth-rsa.c pathnames.h ssh.1 sshd.8 sshd_config
      ssh-keygen.1]
     merge authorized_keys2 into authorized_keys.
     authorized_keys2 is used for backward compat.
     (just append authorized_keys2 to authorized_keys).
 2001-06-25 04:17:12 +00:00
Ben Lindstrom 9d0c06667e - markus@cvs.openbsd.org 2001/06/07 19:57:53 
[auth2.c]
     style is used for bsdauth.
     disconnect on user/service change (ietf-drafts)
 2001-06-09 01:40:00 +00:00
Ben Lindstrom c763767f18 [NOTE: Next patch will sync nchan.c, channels.c and channels.h and all this 
pain will be over.]
   - markus@cvs.openbsd.org 2001/05/31 10:30:17
     [auth-options.c auth2.c channels.c channels.h clientloop.c nchan.c
      packet.c serverloop.c session.c ssh.c]
     undo the .c file split, just merge the header and keep the cvs
     history
 2001-06-09 00:36:26 +00:00
Ben Lindstrom cd4349f969 - markus@cvs.openbsd.org 2001/05/30 23:31:14 
[auth2.c]
     merge
 2001-06-09 00:23:17 +00:00
Ben Lindstrom e6455aee8f [NOTE: File split is was not done in Portabl Tree] 
- markus@cvs.openbsd.org 2001/05/30 12:55:13
     [auth-options.c auth2.c channels.c channels.h clientloop.c nchan.c
      packet.c serverloop.c session.c ssh.c ssh1.h]
     channel layer cleanup: merge header files and split .c files
 2001-06-09 00:17:10 +00:00
Ben Lindstrom bfb3a0e973 - markus@cvs.openbsd.org 2001/05/20 17:20:36 
[auth-rsa.c auth.c auth.h auth2.c servconf.c servconf.h sshd.8
      sshd_config]
     configurable authorized_keys{,2} location; originally from peter@;
     ok djm@
 2001-06-05 20:25:05 +00:00
Ben Lindstrom 551ea37576 - markus@cvs.openbsd.org 2001/05/18 14:13:29 
[auth-chall.c auth.h auth1.c auth2-chall.c auth2.c readconf.c
      readconf.h servconf.c servconf.h sshconnect1.c sshconnect2.c sshd.c]
     improved kbd-interactive support. work by per@appgate.com and me
 2001-06-05 18:56:16 +00:00
Damien Miller f815442116 - (djm) Add new server configuration directive 'PAMAuthenticationViaKbdInt' 
(default: off), implies KbdInteractiveAuthentication. Suggestion from
   markus@
 2001-04-25 22:44:14 +10:00
Ben Lindstrom 3f36496e33 - markus@cvs.openbsd.org 2001/04/19 00:05:11 
[auth2.c]
     use local variable, no function call needed.
     (btw, hostbased works now with ssh.com >= 2.0.13)
 2001-04-19 20:50:07 +00:00
Ben Lindstrom 671388f233 - markus@cvs.openbsd.org 2001/04/18 23:43:26 
[auth2.c compat.c sshconnect2.c]
     more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now
     (however the 2.1.0 server seems to work only if debug is enabled...)
 2001-04-19 20:40:45 +00:00
Ben Lindstrom 4aa603c150 - markus@cvs.openbsd.org 2001/04/18 22:48:26 
[auth2.c]
     no longer const
 2001-04-19 20:38:06 +00:00
Ben Lindstrom 2bffd6fd1b - markus@cvs.openbsd.org 2001/04/18 22:03:45 
[auth2.c sshconnect2.c]
     use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
 2001-04-19 20:35:40 +00:00
Ben Lindstrom 5eabda303a - markus@cvs.openbsd.org 2001/04/12 19:15:26 
[auth-rhosts.c auth.h auth2.c buffer.c canohost.c canohost.h
      compat.c compat.h hostfile.c pathnames.h readconf.c readconf.h
      servconf.c servconf.h ssh.c sshconnect.c sshconnect.h sshconnect1.c
      sshconnect2.c sshd_config]
     implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2)
     similar to RhostRSAAuthentication unless you enable (the experimental)
     HostbasedUsesNameFromPacketOnly option.  please test. :)
 2001-04-12 23:34:34 +00:00
Ben Lindstrom 3fcf1a22b5 - markus@cvs.openbsd.org 2001/04/06 21:00:17 
[auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth2.c channels.c session.c
      ssh.c sshconnect.c sshconnect.h uidswap.c uidswap.h]
     do gid/groups-swap in addition to uid-swap, should help if /home/group
     is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks
     to olar@openwall.com is comments.  we had many requests for this.
 2001-04-08 18:26:59 +00:00
Ben Lindstrom 0cae04005e - markus@cvs.openbsd.org 2001/04/04 20:32:56 
[auth2.c]
     we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
 2001-04-04 23:47:52 +00:00
Damien Miller 5d57e50730 - OpenBSD CVS Sync 
- markus@cvs.openbsd.org 2001/03/28 22:43:31
     [auth.h auth2.c auth2-chall.c]
     check auth_root_allowed for kbd-int auth, too.
 2001-03-30 10:48:31 +10:00
Ben Lindstrom b31783d547 - markus@cvs.openbsd.org 2001/03/21 11:43:45 
[auth1.c auth2.c session.c session.h]
     merge common ssh v1/2 code
 2001-03-22 02:02:12 +00:00
Ben Lindstrom eebc4a2ed3 - (bal) auth-chall.c auth-passwd.c auth.h auth1.c auth2.c session.c CVS ID 
resync
 2001-03-22 01:22:03 +00:00
Ben Lindstrom b54873ad24 - markus@cvs.openbsd.org 2001/03/11 13:25:36 
[auth2.c key.c]
     debug
 2001-03-11 20:01:55 +00:00
Ben Lindstrom 9c5324422e - (bal) CVS ID touch up on auth2.c, serverloop.c, session.c & sshd.c 2001-03-05 07:33:14 +00:00