b5fcb0ac1c
upstream: check access(ssh-sk-helper, X_OK) to provide friendly
...
error message for misconfigured helper paths
OpenBSD-Commit-ID: 061bcc262155d12e726305c91394ac0aaf1f8341
2020-01-21 18:09:25 +11:00
56bced43c1
upstream: Document sntrup4591761x25519-sha512@tinyssh.org. Patch
...
from jtesta@positronsecurity.com via github PR#151.
OpenBSD-Commit-ID: f3d48168623045c258245c340a5a2af7dbb74edc
2020-01-21 18:09:09 +11:00
4a05d789b8
upstream: fix ssh-keygen not displaying authenticator touch
...
prompt; reported by jmc@
OpenBSD-Commit-ID: 04d4f582fc194eb3897ebcbfe286c49958ba2859
2020-01-21 18:09:09 +11:00
881aded038
upstream: a little more verbosity in sign_and_send_pubkey() debug
...
messages
OpenBSD-Commit-ID: 6da47a0e6373f6683006f49bc2a516d197655508
2020-01-21 18:09:09 +11:00
b715fdc71b
upstream: one more replacement "(security) key" -> "(FIDO)
...
authenticator"
OpenBSD-Commit-ID: 031bca03c1d1f878ab929facd561911f1bc68dfd
2020-01-21 18:09:09 +11:00
84911da1be
upstream: undo merge error and replace the term "security key"
...
again
OpenBSD-Commit-ID: 341749062c089cc360a7877e9ee3a887aecde395
2020-01-21 18:09:09 +11:00
e8c06c4ee7
upstream: Document loading of resident keys from a FIDO
...
authenticator.
* Rename -O to -K to keep "-O option" available.
* Document -K.
* Trim usage() message down to synopsis, like all other commands.
ok markus@
OpenBSD-Commit-ID: 015c2c4b28f8e19107adc80351b44b23bca4c78a
2020-01-21 18:09:09 +11:00
0d005d6372
upstream: sync ssh-keygen.1 and ssh-keygen's usage() with each
...
other and reality ok markus@
OpenBSD-Commit-ID: cdf64454f2c3604c25977c944e5b6262a3bcce92
2020-01-21 18:09:09 +11:00
b8a4ca2ebf
upstream: revise the fix for reversed arguments on
...
expand_proxy_command()
Always put 'host' before 'host_arg' for consistency. ok markus@ djm@
OpenBSD-Commit-ID: 1ba5b25472779f1b1957295fcc6907bb961472a3
2020-01-21 18:09:09 +11:00
57b181eaf2
upstream: pass the log-on-stderr flag and log level through to
...
ssh-sk-helper, making debugging a bit easier. ok markus@
OpenBSD-Commit-ID: 2e7aea6bf5770d3f38b7c7bba891069256c5a49a
2020-01-21 18:09:09 +11:00
a8bd5fdbdb
Wrap copy_environment_blacklist() in #ifdef
...
It's only needed for USE_PAM or HAVE_CYGWIN cases and will cause compiler
warnings otherwise.
2020-01-21 12:32:16 +11:00
10ecc647fc
depend
2020-01-21 12:20:05 +11:00
b3f7009c9f
Fix missing prototype warning for copy_environment
...
This function is only used in this file, and only on Cygwin, so make
it static and hide it behind HAVE_CYGWIN. Prevents missing prototype
warning.
2020-01-21 10:47:29 +11:00
0c428c0e99
configure.ac: fix ldns test
...
When running ./configure --with-ldns, if ldns-config cannot be found, we
add -Iyes/include to CPPFLAGS and -Lyes/lib to LDFLAGS. Fix that.
2020-01-21 10:46:11 +11:00
6089abf715
Make sshpam_password_change_required static.
...
sshpam_password_change_required is only used in auth-pam.c, so make it
static to prevent a mising prototype warning.
2020-01-21 10:39:49 +11:00
5a9b9c8285
sandbox-darwin.c: fix missing prototypes.
...
Include the right header just like the other sandbox files.
Fixes missing prototype warnings for ssh_sandbox_* functions.
2020-01-21 10:37:25 +11:00
335dc93526
Fix a few warnings when on Mac OS X.
...
Include stdlib.h for calloc, malloc, free and setenv.
2020-01-20 21:17:11 +11:00
0488dc2d30
Fix building without openssl.
...
This fixes the following when there are no openssl headers on the system:
ssh-ecdsa-sk.c:34:10: fatal error: 'openssl/bn.h' file not found
2020-01-20 21:14:46 +11:00
e6b7157b4e
Add config.log to .gitignore
2020-01-16 13:27:23 +11:00
515e10ddf9
Fix typo in README.md, s/crytpo/crypto/
2020-01-16 13:26:46 +11:00
1af3354aea
Wrap stdint.h in ifdef HAVE_STDINT_H.
2020-01-15 16:22:36 +11:00
429170f273
Wrap stdint.h inside HAVE_STDINT_H.
2020-01-14 14:41:47 +11:00
a0989b6021
Include compat header for definitions.
2020-01-14 14:28:01 +11:00
e0cedcad51
Improve search for 'struct timespec'.
...
Make struct timespec test consistent with existing timeval test.
Include time.h for timespec in compat header where required.
2020-01-14 14:28:01 +11:00
acaf9e0585
Update depend to remove rmd160.h.
2020-01-14 12:43:03 +11:00
26b2675b0c
Remove configure test & compat code for ripemd160.
...
RIPEMD160 support was removed upstream in 2017, however we still had
a configure test and compat code for it, so clean those up now.
2020-01-14 12:05:00 +11:00
ed3ad71b17
upstream: fix reversed arguments on expand_proxy_command(); spotted
...
by anton@
OpenBSD-Commit-ID: db1c32478a01dfbc9c4db171de0f25907bea5775
2020-01-09 21:29:19 +11:00
cd53476383
upstream: put the fido options in a list, and tidy up the text a
...
little; ok djm
OpenBSD-Commit-ID: 491ce15ae52a88b7a6a2b3b6708a14b4aacdeebb
2020-01-09 21:29:19 +11:00
30f704ebc0
Deny (non-fatal) ipc in preauth privsep child.
...
As noted in openssh/openssh-portable#149 , i386 does not have have
_NR_shmget etc. Instead, it has a single ipc syscall (see man 2 ipc,
https://linux.die.net/man/2/ipc ). Add this syscall, if present, to the
list of syscalls that seccomp will deny non-fatally.
2020-01-08 21:47:44 +11:00
b110cefdfb
seccomp: Allow clock_gettime64() in sandbox.
...
This helps sshd accept connections on mips platforms with
upcoming glibc ( 2.31 )
2020-01-08 12:10:00 +11:00
3cc60c899a
upstream: missing else in check_enroll_options()
...
OpenBSD-Commit-ID: e058fb918fda56ddbbf0bee910101004cec421d4
2020-01-06 13:40:28 +11:00
ff5784e269
upstream: fix error message
...
OpenBSD-Commit-ID: 1eb52025658eb78ea6223181e552862198d3d505
2020-01-06 13:25:26 +11:00
dd2acc8b86
upstream: adapt sk-dummy to SK API changes
...
also, make it pull prototypes directly from sk-api.c and #error
if the expected version changes. This will make any future regress
test breakage because of SK API changes much more apparent
OpenBSD-Regress-ID: 79b07055de4feb988e31da71a89051ad5969829d
2020-01-06 13:12:46 +11:00
c312ca077c
upstream: Extends the SK API to accept a set of key/value options
...
for all operations. These are intended to future-proof the API a little by
making it easier to specify additional fields for without having to change
the API version for each.
At present, only two options are defined: one to explicitly specify
the device for an operation (rather than accepting the middleware's
autoselection) and another to specify the FIDO2 username that may
be used when generating a resident key. These new options may be
invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour
of uint32_t for the algorithm argument in the API, to make implementation
of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
2020-01-06 13:12:46 +11:00
2ab335712d
upstream: fix CanonicalizeHostname, broken by rev 1.507
...
Issue noticed and reported by Pierre-Olivier Martel <pom@apple.com>
ok dtucker@ markus@ djm@
OpenBSD-Commit-ID: 749f3168ec520609c35b0c4e1984e5fa47f16094
2020-01-06 13:12:46 +11:00
69e44ba701
Fix typo: 'you' -> 'your'.
...
bz#3108 from jmckitrick@gmail.com .
2020-01-06 09:02:53 +11:00
7652a57662
Remove auth-skey.c.
...
S/Key support was removed in OpenSSH 7.8 but this file was missed.
2020-01-06 08:56:46 +11:00
c593cc5e82
upstream: the download resident keys option is -K (upper) not -k
...
(lower); ok djm
OpenBSD-Commit-ID: 71dc28a3e1fa7c553844abc508845bcf5766e091
2020-01-04 10:15:03 +11:00
ff31f15773
upstream: what bozo decided to use 2020 as a future date in a regress
...
test?
OpenBSD-Regress-ID: 3b953df5a7e14081ff6cf495d4e8d40e153cbc3a
2020-01-04 10:14:21 +11:00
680eb7749a
upstream: implement recent SK API change to support resident keys
...
and PIN prompting in the dummy middleware that we use for the tests. Should
fix breakage spotted by dtucker@
OpenBSD-Regress-ID: 379cf9eabfea57aaf7f3f59dafde59889566c484
2020-01-03 13:47:32 +11:00
86834fe6b5
upstream: Update keygen moduli screen test to match recent command
...
line option change to ssh-keygen(1).
OpenBSD-Regress-ID: 744a72755004377e9669b662c13c6aa9ead8a0c3
2020-01-03 13:47:32 +11:00
9039971887
upstream: ability to download FIDO2 resident keys from a token via
...
"ssh-keygen -K". This will save public/private keys into the current
directory.
This is handy if you move a token between hosts.
feedback & ok markus@
OpenBSD-Commit-ID: d57c1f9802f7850f00a117a1d36682a6c6d10da6
2020-01-03 09:43:24 +11:00
878ba4350d
upstream: add sshkey_save_public(), to save a public key; ok
...
markus@
OpenBSD-Commit-ID: 5d6f96a966d10d7fa689ff9aa9e1d6767ad5a076
2020-01-03 09:41:20 +11:00
3b1382ffd5
upstream: simplify the list for moduli options - no need for
...
-compact;
OpenBSD-Commit-ID: 6492c72280482c6d072be46236b365cb359fc280
2020-01-03 09:41:20 +11:00
0248ec7c76
ssh-sk-null.cc needs extern "C" {}
2020-01-02 13:41:31 +11:00
5ca4b414ef
add dummy ssh-sk API for linking with fuzzers
2020-01-02 11:15:49 +11:00
c4b2664be7
refresh depend
2019-12-30 21:04:09 +11:00
3093d12ff8
upstream: Remove the -x option currently used for
...
FIDO/U2F-specific key flags. Instead these flags may be specified via -O.
ok markus@
OpenBSD-Commit-ID: f23ebde2a8a7e1bf860a51055a711cffb8c328c1
2019-12-30 21:02:29 +11:00
ef65e7dbaa
upstream: document SK API changes in PROTOCOL.u2f
...
ok markus@
OpenBSD-Commit-ID: 52622363c103a3c4d3d546050480ffe978a32186
2019-12-30 21:01:52 +11:00
43ce96427b
upstream: translate and return error codes; retry on bad PIN
...
Define some well-known error codes in the SK API and pass
them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during
ssh-keygen of resident keys.
feedback and ok markus@
OpenBSD-Commit-ID: 9663c6a2bb7a0bc8deaccc6c30d9a2983b481620
2019-12-30 21:01:51 +11:00
djm@openbsd.org
dtucker@openbsd.org
naddy@openbsd.org
Damien Miller
Ruben Kerkhof
Darren Tucker
jmc@openbsd.org
Jeremy Drake
Khem Raj
beck@openbsd.org