AuthorizedKeysCommand accept the %D (routing domain) and a new %C (connection
address/port 4-tuple) as expansion sequences; ok markus
OpenBSD-Commit-ID: ee9a48bf1a74c4ace71b69de69cfdaa2a7388565
Previously sk-dummy.so used libc's (or compat's) SHA256 since it may be
built without OpenSSL. In many cases, however, including both libc's
and OpenSSL's headers together caused conflicting definitions.
We tried working around this (on OpenSSL <1.1 you could define
OPENSSL_NO_SHA, NetBSD had USE_LIBC_SHA2, various #define hacks) with
varying levels of success. Since OpenSSL >=1.1 removed OPENSSL_NO_SHA
and including most OpenSSL headers would bring sha.h in, even if it
wasn't used directly this was a constant hassle.
Admit defeat and use OpenSSL's SHA256 unless we aren't using OpenSSL at
all. ok djm@
multiplexed cases (inc. ControlPersist). bz3589 bz3589 Based on patches by
Peter Chubb; ok dtucker@
OpenBSD-Commit-ID: a7a2976a54b93e6767dc846b85647e6ec26969ac
Make ssh-pkcs11-client start an independent helper for each provider,
providing better isolation between modules and reliability if a single
module misbehaves.
This also implements reference counting of PKCS#11-hosted keys,
allowing ssh-pkcs11-helper subprocesses to be automatically reaped
when no remaining keys reference them. This fixes some bugs we have
that make PKCS11 keys unusable after they have been deleted, e.g.
https://bugzilla.mindrot.org/show_bug.cgi?id=3125
ok markus@
OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e
This checks via nlist(3) that candidate provider libraries contain one
of the symbols that we will require prior to dlopen(), which can cause
a number of side effects, including execution of constructors.
Feedback deraadt; ok markus
OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
libraries to ssh-agent by default.
The old behaviour of allowing remote clients from loading providers
can be restored using `ssh-agent -O allow-remote-pkcs11`.
Detection of local/remote clients requires a ssh(1) that supports
the `session-bind@openssh.com` extension. Forwarding access to a
ssh-agent socket using non-OpenSSH tools may circumvent this control.
ok markus@
OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c
valid magic number and not SSH_ERR_MESSAGE_INCOMPLETE; the former is needed
to fall back to text revocation lists in some cases; fixes t-cert-hostkey.
OpenBSD-Commit-ID: 5c670a6c0f027e99b7774ef29f18ba088549c7e1
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.
ok markus
OpenBSD-Commit-ID: dc08358e70e702b59ac3e591827e5a96141b06a3
This allows matching on the addresses of available network interfaces
and may be used to vary the effective client configuration based on
network location (e.g. to use a ProxyJump when not on a particular
network).
ok markus@
OpenBSD-Commit-ID: cffb6ff9a3803abfc52b5cad0aa190c5e424c139
When the KRL format was originally defined, it included support for
signing of KRL objects. However, the code to sign KRLs and verify KRL
signatues was never completed in OpenSSH.
Now, some years later, we have SSHSIG support in ssh-keygen that is
more general, well tested and actually works. So this removes the
semi-finished KRL signing/verification support from OpenSSH and
refactors the remaining code to realise the benefit - primarily, we
no longer need to perform multiple parsing passes over KRL objects.
ok markus@
OpenBSD-Commit-ID: 517437bab3d8180f695c775410c052340e038804
This defines wire formats for optional KRL extensions and implements
parsing of the new submessages. No actual extensions are supported at
this point.
ok markus
OpenBSD-Commit-ID: ae2fcde9a22a9ba7f765bd4f36b3f5901d8c3fa7
sshd_config.
Previously this directive would accept certificate algorithm names, but
these were unusable in practice as OpenSSH does not support CA chains.
part of bz3577; ok dtucker@
OpenBSD-Commit-ID: a992d410c8a78ec982701bc3f91043dbdb359912
algorithms that are valid for CA signing. Previous behaviour was to list all
signing algorithms, including certificate algorithms (OpenSSH certificates do
not support CA chains). part of bz3577; ok dtucker@
OpenBSD-Commit-ID: 99c2b072dbac0f44fd1f2269e3ff6c1b5d7d3e59
using ssh -W by explicitly decoding PORT_STREAMLOCAL (a negative number) from
the u32 that's passed over the multiplexing socket; previously code would
just cast, which is UB.
OpenBSD-Commit-ID: e5ac5f40d354096c51e8c118a5c1b2d2b7a31384
fixes "no comment" not showing on when running `ssh-keygen -l` on multiple
keys where one has a comment and other following keys do not. Patch from
Markus Kuhn via GHPR407, bz3580
OpenBSD-Commit-ID: 3cce84456fdcd67dc6b84e369f92c6686d111d9b
INT_MAX. Fixes sign compare warnings systems with 32-bit time_t due to type
promotion. OK djm@
OpenBSD-Commit-ID: 48081e9ad35705c5f1705711704a4c2ff94e87b7
This makes the ssh-copy-id man page more consistent with the rest of the
OpenSSH man pages:
- new sentence, new line
- no sentences >80
- N.B. -> NB
- zap unused .Pp
- zap trailing whitespace
Report from Debian via mindrot bz#3331, diff from jmc at openbsd.org.
SSH-Copy-ID-Upstream: d8974cfb6242316460ed22a1ccc662800a50c5d3
This was inspired by this:
https://github.com/openssh/openssh-portable/pull/321
but I thought that it was better to not do the sed patching.
BTW the reason one can get away with using $SSH_OPTS throughout, despite
the lowercase -p in there, even if sftp is in use, is that the sftp call
is using the already-established ssh master connection, so the port was
passed to the earlier ssh.
SSH-Copy-ID-Upstream: 1c124d9bfafdbe28a00b683367ebf5750ce12eb2