tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,147 Commits 6 Branches 20 Tags 98 MiB
Commit Graph

10147 Commits

Author SHA1 Message Date
Darren Tucker 5af6fd5461 Allow clock_nanosleep_time64 in seccomp sandbox. 
Needed on Linux ARM.  bz#3100, patch from jjelen@redhat.com.
 2019-12-16 13:55:56 +11:00
Darren Tucker fff8ff6dd5 Put SK ECDSA bits inside ifdef OPENSSL_HAS_ECC. 
Fixes build when linking against OpenSSLs built with no-ec.
 2019-12-15 18:27:02 +11:00
Damien Miller 9244990ecd remove a bunch of ENABLE_SK #ifdefs 
The ssh-sk-helper client API gives us a nice place to disable
security key support when it is wasn't enabled at compile time,
so we don't need to check everywere.

Also, verification of security key signatures can remain enabled
all the time - it has no additional dependencies. So sshd can
accept security key pubkeys in authorized_keys, etc regardless of
the host's support for dlopen, etc.
 2019-12-14 09:21:46 +11:00
Damien Miller a33ab1688b ssh-sk-client.c needs includes.h 2019-12-14 09:15:06 +11:00
Damien Miller 633778d567 only link ssh-sk-helper against libfido2 2019-12-14 08:40:58 +11:00
Damien Miller 7b47b40b17 adapt Makefile to ssh-sk-client everywhere 2019-12-14 08:40:58 +11:00
Damien Miller f45f3a8a12 fixup 2019-12-14 07:53:11 +11:00
djm@openbsd.org d214347667 upstream: actually commit the ssh-sk-helper client code; ok markus 
OpenBSD-Commit-ID: fd2ea776a5bbbf4d452989d3c3054cf25a5e0589
 2019-12-14 07:21:27 +11:00
djm@openbsd.org 611073fb40 upstream: perform security key enrollment via ssh-sk-helper too. 
This means that ssh-keygen no longer needs to link against ssh-sk-helper, and
only ssh-sk-helper needs libfido2 and /dev/uhid* access;

feedback & ok markus@

OpenBSD-Commit-ID: 9464233fab95708d2ff059f8bee29c0d1f270800
 2019-12-14 07:20:28 +11:00
djm@openbsd.org 612b1dd1ec upstream: allow sshbuf_put_stringb(buf, NULL); ok markus@ 
OpenBSD-Commit-ID: 91482c1ada9adb283165d48dafbb88ae91c657bd
 2019-12-14 07:17:44 +11:00
djm@openbsd.org b52ec0ba39 upstream: use ssh-sk-helper for all security key signing operations 
This extracts and refactors the client interface for ssh-sk-helper
from ssh-agent and generalises it for use by the other programs.
This means that most OpenSSH tools no longer need to link against
libfido2 or directly interact with /dev/uhid*

requested by, feedback and ok markus@

OpenBSD-Commit-ID: 1abcd3aea9a7460eccfbf8ca154cdfa62f1dc93f
 2019-12-14 07:17:44 +11:00
djm@openbsd.org c33d46868c upstream: add a note about the 'extensions' field in the signed 
object

OpenBSD-Commit-ID: 67c01e0565b258e0818c1ccfe1f1aeaf9a0d4c7b
 2019-12-14 07:09:23 +11:00
djm@openbsd.org a62f4e1960 upstream: some more corrections for documentation problems spotted 
by Ron Frederick

document certifiate private key format
correct flags type for sk-ssh-ed25519@openssh.com keys

OpenBSD-Commit-ID: fc4e9a1ed7f9f7f9dd83e2e2c59327912e933e74
 2019-12-11 19:11:07 +11:00
djm@openbsd.org 22d4beb796 upstream: loading security keys into ssh-agent used the extension 
constraint "sk-provider@openssh.com", not "sk@openssh.com"; spotted by Ron
Frederick

OpenBSD-Commit-ID: dbfba09edbe023abadd5f59c1492df9073b0e51d
 2019-12-11 19:11:07 +11:00
djm@openbsd.org 75f7f22a43 upstream: add security key types to list of keys allowed to act as 
CAs; spotted by Ron Frederick

OpenBSD-Commit-ID: 9bb0dfff927b4f7aa70679f983f84c69d45656c3
 2019-12-11 19:11:07 +11:00
djm@openbsd.org 516605f2d5 upstream: when acting as a CA and using a security key as the CA 
key, remind the user to touch they key to authorise the signature.

OpenBSD-Commit-ID: fe58733edd367362f9766b526a8b56827cc439c1
 2019-12-11 19:08:22 +11:00
djm@openbsd.org c4036fe75e upstream: chop some unnecessary and confusing verbiage from the 
security key protocol description; feedback from Ron Frederick

OpenBSD-Commit-ID: 048c9483027fbf9c995e5a51b3ac502989085a42
 2019-12-11 19:08:22 +11:00
djm@openbsd.org 59175a350f upstream: fix setting of $SSH_ASKPASS_PROMPT - it shouldn't be set 
when asking passphrases, only when confirming the use of a key (i.e. for
ssh-agent keys added with "ssh-add -c keyfile")

OpenBSD-Commit-ID: 6643c82960d9427d5972eb702c917b3b838ecf89
 2019-12-11 19:08:22 +11:00
djm@openbsd.org 36eaa356d3 upstream: bring the __func__ 
OpenBSD-Commit-ID: 71a3a45b0fe1b8f680ff95cf264aa81f7abbff67
 2019-12-11 19:08:22 +11:00
jmc@openbsd.org 483cc723d1 upstream: tweak the Nd lines for a bit of consistency; ok markus 
OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
 2019-12-11 19:08:22 +11:00
Darren Tucker afffd31036 Check if memmem is declared in system headers. 
If the system (or one of the dependencies) implements memmem but does
not define the header, we would not declare it either resulting in
compiler warnings.  Check for declaration explicitly.  bz#3102.
 2019-12-11 13:22:06 +11:00
Darren Tucker ad8cd42079 Sort depends. 2019-12-11 13:13:14 +11:00
Darren Tucker 5e3abff39e Sort .depend when rebuilding. 
This makes diffs more stable between makedepend implementations.
 2019-12-11 13:12:59 +11:00
Darren Tucker 5df9d1f5c0 Update depend to include sk files. 2019-12-11 13:06:43 +11:00
Darren Tucker 9a967c5bbf Describe how to build libcrypto as PIC. 
While there, move the OpenSSL 1.1.0g caveat closer to the other version
information.
 2019-12-09 20:25:26 +11:00
Darren Tucker b66fa5da25 Recommend running LibreSSL or OpenSSL self-tests. 2019-12-09 17:23:22 +11:00
Darren Tucker fa7924008e Wrap ECC specific bits in ifdef. 
Fixes tests when built against an OpenSSL configured with no-ec.
 2019-12-06 14:17:26 +11:00
Darren Tucker 2ff822eabd Wrap sha2.h include in ifdef. 
Fixes build --without-openssl on at least Fedora.
 2019-11-29 20:21:36 +11:00
Damien Miller 443848155f compile sk-dummy.so with no-PIE version of LDFLAGS 
This lets it pick up the -L path to libcrypto for example.
 2019-11-29 15:10:21 +11:00
Damien Miller 37f5b5346e includes.h for sk-dummy.c, dummy 2019-11-29 14:48:46 +11:00
Damien Miller b218055e59 (yet) another x-platform fix for sk-dummy.so 
Check for -fPIC support from compiler

Compile libopenbsd-compat -fPIC

Don't mix -fPIE and -fPIC when compiling
 2019-11-29 12:32:23 +11:00
Damien Miller 0dedb703ad needs includes.h for WITH_OPENSSL 2019-11-29 11:53:57 +11:00
Damien Miller ef3853bb94 another attempt at sk-dummy.so working x-platform 
include a fatal() implementation to satisfy libopenbsd-compat

clean up .lo and .so files

.gitignore .lo and .so files
 2019-11-29 11:52:23 +11:00
djm@openbsd.org d46ac56f1c upstream: lots of dependencies go away here with ed25519 no longer 
needing the ssh_digest API.

OpenBSD-Regress-ID: 785847ec78cb580d141e29abce351a436d6b5d49
 2019-11-29 11:19:48 +11:00
djm@openbsd.org 7404b81f25 upstream: perform hashing directly in crypto_hash_sha512() using 
libcrypto or libc SHA512 functions rather than calling ssh_digest_memory();
avoids many dependencies on ssh code that complicate standalone use of
ed25519, as we want to do in sk-dummy.so

OpenBSD-Commit-ID: 5a3c37593d3ba7add037b587cec44aaea088496d
 2019-11-29 11:17:39 +11:00
jmc@openbsd.org d39a865b7a upstream: improve the text for -A a little; input from naddy and 
djm

OpenBSD-Commit-ID: f9cdfb1d6dbb9887c4bf3bb25f9c7a94294c988d
 2019-11-29 11:17:39 +11:00
jmc@openbsd.org 9a0e01bd0c upstream: reshuffle the text to read better; input from naddy, 
djmc, and dtucker

OpenBSD-Commit-ID: a0b2aca2b67614dda3d6618ea097bf0610c35013
 2019-11-29 11:17:39 +11:00
Damien Miller 5ca52c0f2e $< doesn't work as` I thought; explicily list objs 2019-11-28 18:10:37 +11:00
djm@openbsd.org 18e84bfdc5 upstream: tweak wording 
OpenBSD-Commit-ID: bd002ca1599b71331faca735ff5f6de29e32222e
 2019-11-28 17:54:42 +11:00
Damien Miller 8ef5bf9d03 missing .SUFFIXES line makes make sad 2019-11-28 13:12:30 +11:00
Damien Miller 323da82b8e (hopefully) fix out of tree builds of sk-dummy.so 2019-11-28 09:53:42 +11:00
djm@openbsd.org d8b2838c5d upstream: remove stray semicolon after closing brace of function; 
from Michael Forney

OpenBSD-Commit-ID: fda95acb799bb160d15e205ee126117cf33da3a7
 2019-11-28 09:38:11 +11:00
dtucker@openbsd.org 6e1d1bbf5a upstream: Revert previous commit. The channels code still uses int 
in many places for channel ids so the INT_MAX check still makes sense.

OpenBSD-Commit-ID: 532e4b644791b826956c3c61d6ac6da39bac84bf
 2019-11-28 09:38:11 +11:00
Damien Miller 4898924465 wire sk-dummy.so into test suite 2019-11-27 16:03:27 +11:00
djm@openbsd.org f79364baca upstream: use error()+_exit() instead of fatal() to avoid running 
cleanup handlers in child process; spotted via weird regress failures in
portable

OpenBSD-Commit-ID: 6902a9bb3987c7d347774444f7979b8a9ba7f412
 2019-11-27 16:02:46 +11:00
dtucker@openbsd.org 70ec5e5e26 upstream: Make channel_id u_int32_t and remove unnecessary check 
and cast that were left over from the type conversion.  Noted by
t-hashida@amiya.co.jp in bz#3098, ok markus@ djm@

OpenBSD-Commit-ID: 3ad105b6a905284e780b1fd7ff118e1c346e90b5
 2019-11-27 16:02:46 +11:00
djm@openbsd.org ad44ca81be upstream: test FIDO2/U2F key types; ok markus@ 
OpenBSD-Regress-ID: 367e06d5a260407619b4b113ea0bd7004a435474
 2019-11-27 11:02:49 +11:00
djm@openbsd.org c6efa8a91a upstream: add dummy security key middleware based on work by 
markus@

This will allow us to test U2F/FIDO2 support in OpenSSH without
requiring real hardware.

ok markus@

OpenBSD-Regress-ID: 88b309464b8850c320cf7513f26d97ee1fdf9aae
 2019-11-27 10:47:28 +11:00
jmc@openbsd.org 8635afa1cd upstream: tweak previous; 
OpenBSD-Commit-ID: a4c097364c75da320f1b291568db830fb1ee4883
 2019-11-27 10:44:29 +11:00
djm@openbsd.org e0d38ae9bc upstream: more debugging; behind DEBUG_SK 
OpenBSD-Commit-ID: a978896227118557505999ddefc1f4c839818b60
 2019-11-27 10:44:29 +11:00