d834d35834
- djm@cvs.openbsd.org 2010/06/23 02:59:02
...
[ssh-keygen.c]
fix printing of extensions in v01 certificates that I broke in r1.190
2010-06-26 09:48:02 +10:00
1b2b61e6f8
- djm@cvs.openbsd.org 2010/06/22 04:59:12
...
[session.c]
include the user name on "subsystem request for ..." log messages;
bz#1571; ok dtucker@
2010-06-26 09:47:43 +10:00
0e76c5e502
- djm@cvs.openbsd.org 2010/06/22 04:54:30
...
[ssh-keyscan.c]
replace verbose and overflow-prone Linebuf code with read_keyfile_line()
based on patch from joachim AT joachimschipper.nl; bz#1565; ok dtucker@
2010-06-26 09:39:59 +10:00
48147d6801
- djm@cvs.openbsd.org 2010/06/22 04:49:47
...
[auth.c]
queue auth debug messages for bad ownership or permissions on the user's
keyfiles. These messages will be sent after the user has successfully
authenticated (where our client will display them with LogLevel=debug).
2010-06-26 09:39:25 +10:00
ba3420acd2
- djm@cvs.openbsd.org 2010/06/22 04:32:06
...
[ssh-keygen.c]
standardise error messages when attempting to open private key
files to include "progname: filename: error reason"
bz#1783; ok dtucker@
2010-06-26 09:39:07 +10:00
ab6de35140
- djm@cvs.openbsd.org 2010/06/22 04:22:59
...
[servconf.c sshd_config.5]
expose some more sshd_config options inside Match blocks:
AuthorizedKeysFile AuthorizedPrincipalsFile
HostbasedUsesNameFromPacketOnly PermitTunnel
bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@
2010-06-26 09:38:45 +10:00
495663165f
- djm@cvs.openbsd.org 2010/06/18 04:43:08
...
[sftp-client.c]
fix memory leak in do_realpath() error path; bz#1771, patch from
anicka AT suse.cz
2010-06-26 09:38:23 +10:00
7aa46ec393
- djm@cvs.openbsd.org 2010/06/18 03:16:03
...
[session.c]
Missing check for chroot_director == "none" (we already checked against
NULL); bz#1564 from Jan.Pechanec AT Sun.COM
2010-06-26 09:37:57 +10:00
99ac4e9546
- djm@cvs.openbsd.org 2010/06/18 00:58:39
...
[sftp.c]
unbreak ls in working directories that contains globbing characters in
their pathnames. bz#1655 reported by vgiffin AT apple.com
2010-06-26 09:36:58 +10:00
c094d1e481
- djm@cvs.openbsd.org 2010/06/17 07:07:30
...
[mux.c]
Correct sizing of object to be allocated by calloc(), replacing
sizeof(state) with sizeof(*state). This worked by accident since
the struct contained a single int at present, but could have broken
in the future. patch from hyc AT symas.com
2010-06-26 09:36:34 +10:00
4fe686d35f
- markus@cvs.openbsd.org 2010/06/08 21:32:19
...
[ssh-pkcs11.c]
check length of value returned C_GetAttributValue for != 0
from mdrtbugzilla@codefive.co.uk ; bugzilla #1773 ; ok dtucker@
2010-06-26 09:36:10 +10:00
2e77446a13
- OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2010/05/21 05:00:36
[misc.c]
colon() returns char*, so s/return (0)/return NULL/
2010-06-26 09:30:47 +10:00
d82a260fdf
- (djm) [loginrec.c] crank LINFO_NAMESIZE (username length) to 512
...
bz#1579; ok dtucker
2010-06-22 15:02:39 +10:00
ea909791c5
- (djm) [contrib/ssh-copy-id] Update key file explicitly under ~
...
rather than assuming that $CWD == $HOME. bz#1500, patch from
timothy AT gelter.com
2010-06-18 11:09:24 +10:00
b9ae4ec556
- (tim) [contrib/cygwin/README] Remove a reference to the obsolete
...
minires-devel package, and to add the reference to the libedit-devel
package since CYgwin now provides libedit. Patch from Corinna Vinschen.
2010-06-17 11:11:44 -07:00
d0e4a8e2e0
- djm@cvs.openbsd.org 2010/05/20 23:46:02
...
[PROTOCOL.certkeys auth-options.c ssh-keygen.c]
Move the permit-* options to the non-critical "extensions" field for v01
certificates. The logic is that if another implementation fails to
implement them then the connection just loses features rather than fails
outright.
ok markus@
2010-05-21 14:58:32 +10:00
84399555f0
- djm@cvs.openbsd.org 2010/05/20 11:25:26
...
[auth2-pubkey.c]
fix logspam when key options (from="..." especially) deny non-matching
keys; reported by henning@ also bz#1765; ok markus@ dtucker@
2010-05-21 14:58:12 +10:00
388f6fc485
- markus@cvs.openbsd.org 2010/05/16 12:55:51
...
[PROTOCOL.mux clientloop.h mux.c readconf.c readconf.h ssh.1 ssh.c]
mux support for remote forwarding with dynamic port allocation,
use with
LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`
feedback and ok djm@
2010-05-21 14:57:35 +10:00
d530f5f471
- djm@cvs.openbsd.org 2010/05/14 23:29:23
...
[channels.c channels.h mux.c ssh.c]
Pause the mux channel while waiting for reply from aynch callbacks.
Prevents misordering of replies if new requests arrive while waiting.
Extend channel open confirm callback to allow signalling failure
conditions as well as success. Use this to 1) fix a memory leak, 2)
start using the above pause mechanism and 3) delay sending a success/
failure message on mux slave session open until we receive a reply from
the server.
motivated by and with feedback from markus@
2010-05-21 14:57:10 +10:00
c6afb5f2c0
- djm@cvs.openbsd.org 2010/05/14 00:47:22
...
[ssh-add.c]
check that the certificate matches the corresponding private key before
grafting it on
2010-05-21 14:56:47 +10:00
3b903827eb
- djm@cvs.openbsd.org 2010/05/11 02:58:04
...
[auth-rsa.c]
don't accept certificates marked as "cert-authority" here; ok markus@
2010-05-21 14:56:25 +10:00
3bcce80b54
- djm@cvs.openbsd.org 2010/05/07 11:31:26
...
[regress/Makefile regress/cert-userkey.sh]
regress tests for AuthorizedPrincipalsFile and "principals=" key option.
feedback and ok markus@
2010-05-21 14:48:16 +10:00
4b1ec8381b
- (djm) [openbsd-compat/openssl-compat.h] Fix build breakage on older
...
libcrypto by defining OPENSSL_[DR]SA_MAX_MODULUS_BITS if they aren't
already. ok dtucker@
2010-05-12 17:49:59 +10:00
5b6d0d0eba
- (dtucker) [Makefile.in] Bug #1770 : Link libopenbsd-compat twice to solve
...
circular dependency problem on old or odd platforms. From Tom Lane, ok
djm@.
2010-05-12 16:51:38 +10:00
81d3fc535b
- jmc@cvs.openbsd.org 2010/05/07 12:49:17
...
[sshd_config.5]
tweak previous;
2010-05-10 11:58:45 +10:00
30da3447d2
- djm@cvs.openbsd.org 2010/05/07 11:30:30
...
[auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c]
[key.c servconf.c servconf.h sshd.8 sshd_config.5]
add some optional indirection to matching of principal names listed
in certificates. Currently, a certificate must include the a user's name
to be accepted for authentication. This change adds the ability to
specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys,
this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config
option "AuthorizedPrincipalsFile" specifies a per-user file containing
the list of acceptable names.
If either option is absent, the current behaviour of requiring the
username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces
and "user@realm"-style naming policies in certificates.
feedback and ok markus@
2010-05-10 11:58:03 +10:00
099fc1634e
- dtucker@cvs.openbsd.org 2010/05/05 04:22:09
...
[sftp.c]
restore mput and mget which got lost in the tab-completion changes.
found by Kenneth Whitaker, ok djm@
2010-05-10 11:56:50 +10:00
2725c2193b
- djm@cvs.openbsd.org 2010/05/01 02:50:50
...
[PROTOCOL.certkeys]
typo; jmeltzer@
2010-05-10 11:56:14 +10:00
79442c07c4
- djm@cvs.openbsd.org 2010/04/26 22:28:24
...
[sshconnect2.c]
bz#1502: authctxt.success is declared as an int, but passed by
reference to function that accepts sig_atomic_t*. Convert it to
the latter; ok markus@ dtucker@
2010-05-10 11:55:38 +10:00
bebbb7e8a5
- djm@cvs.openbsd.org 2010/04/23 22:48:31
...
[ssh-keygen.c]
refuse to generate keys longer than OPENSSL_[RD]SA_MAX_MODULUS_BITS,
since we would refuse to use them anyway. bz#1516; ok dtucker@
2010-05-10 11:54:38 +10:00
22a29880bb
- djm@cvs.openbsd.org 2010/04/23 22:42:05
...
[session.c]
set stderr to /dev/null for subsystems rather than just closing it.
avoids hangs if a subsystem or shell initialisation writes to stderr.
bz#1750; ok markus@
2010-05-10 11:53:54 +10:00
85c50d7858
- djm@cvs.openbsd.org 2010/04/23 22:27:38
...
[mux.c]
set "detach_close" flag when registering channel cleanup callbacks.
This causes the channel to close normally when its fds close and
hangs when terminating a mux slave using ~. bz#1758; ok markus@
2010-05-10 11:53:02 +10:00
50af79b118
- OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2010/04/23 01:47:41
[ssh-keygen.c]
bz#1740: display a more helpful error message when $HOME is
inaccessible while trying to create .ssh directory. Based on patch
from jchadima AT redhat.com; ok dtucker@
2010-05-10 11:52:00 +10:00
9f8703b573
- (dtucker) [configure.ac] Bug #1756 : Check for the existence of a lib64 dir
...
in the openssl install directory (some newer openssl versions do this on at
least some amd64 platforms).
2010-04-23 11:12:06 +10:00
e25a9bd740
- (dtucker) [contrib/aix/buildbff.sh] Fix creation of ssh_prng_cmds.default
...
file.
2010-04-18 13:35:00 +10:00
53f4bb6599
- OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2010/04/16 01:58:45
[regress/cert-hostkey.sh regress/cert-userkey.sh]
regression tests for v01 certificate format
includes interop tests for v00 certs
2010-04-18 08:15:14 +10:00
c617aa9ff5
- djm@cvs.openbsd.org 2010/04/16 21:14:27
...
[sshconnect.c]
oops, %r => remote username, not %u
2010-04-18 08:08:20 +10:00
1f181425e9
- jmc@cvs.openbsd.org 2010/04/16 06:47:04
...
[ssh-keygen.1 ssh-keygen.c]
tweak previous; ok djm
2010-04-18 08:08:03 +10:00
c4eddee1b7
- OpenBSD CVS Sync
...
- jmc@cvs.openbsd.org 2010/04/16 06:45:01
[ssh_config.5]
tweak previous; ok djm
2010-04-18 08:07:43 +10:00
4e270b05dd
- djm@cvs.openbsd.org 2010/04/16 01:47:26
...
[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c]
[auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c]
[ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c]
[sshconnect.c sshconnect2.c sshd.c]
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
following changes:
move the nonce field to the beginning of the certificate where it can
better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation
(use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
2010-04-16 15:56:21 +10:00
031c9100df
- markus@cvs.openbsd.org 2010/04/15 20:32:55
...
[ssh-pkcs11.c]
retry lookup for private key if there's no matching key with CKA_SIGN
attribute enabled; this fixes fixes MuscleCard support (bugzilla #1736 )
ok djm@
2010-04-16 15:54:44 +10:00
b1b17047e3
- djm@cvs.openbsd.org 2010/04/14 22:27:42
...
[ssh_config.5 sshconnect.c]
expand %r => remote username in ssh_config:ProxyCommand;
ok deraadt markus
2010-04-16 15:54:19 +10:00
601a23c02c
- djm@cvs.openbsd.org 2010/04/10 05:48:16
...
[mux.c]
fix NULL dereference; from matthew.haub AT alumni.adelaide.edu.au
2010-04-16 15:54:01 +10:00
88680654ad
- djm@cvs.openbsd.org 2010/04/10 02:10:56
...
[sshconnect2.c]
show the key type that we are offering in debug(), helps distinguish
between certs and plain keys as the path to the private key is usually
the same.
2010-04-16 15:53:43 +10:00
22c97f1539
- djm@cvs.openbsd.org 2010/04/10 02:08:44
...
[clientloop.c]
bz#1698: kill channel when pty allocation requests fail. Fixed
stuck client if the server refuses pty allocation.
ok dtucker@ "think so" markus@
2010-04-16 15:53:23 +10:00
672839994e
- djm@cvs.openbsd.org 2010/04/10 00:04:30
...
[sshconnect.c]
fix terminology: we didn't find a certificate in known_hosts, we found
a CA key
2010-04-16 15:53:02 +10:00
deb5a1423a
- djm@cvs.openbsd.org 2010/04/10 00:00:16
...
[ssh.c]
bz#1746 - suppress spurious tty warning when using -O and stdin
is not a tty; ok dtucker@ markus@
2010-04-16 15:52:43 +10:00
544378da56
- jmc@cvs.openbsd.org 2010/03/27 14:26:55
...
[ssh_config.5]
tweak previous; ok dtucker
2010-04-16 15:52:24 +10:00
67f30d70d9
- jmc@cvs.openbsd.org 2010/03/26 06:54:36
...
[ssh.1]
tweak previous;
2010-04-16 15:52:03 +10:00
d6fc3065da
- OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2010/03/26 03:13:17
[bufaux.c]
allow buffer_get_int_ret/buffer_get_int64_ret to take a NULL pointer
argument to allow skipping past values in a buffer
2010-04-16 15:51:45 +10:00
a45f1c0345
openssh-5.5p1 marker
2010-04-16 15:51:34 +10:00
627337d95b
- (dtucker) [configure.ac] Put the check for the existence of getaddrinfo
...
back so we disable the IPv6 tests if we don't have it.
2010-04-10 22:58:01 +10:00
261d93a5cf
- (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732 : enable
...
utmpx support on FreeBSD where possible. Patch from Ed Schouten, ok djm@
2010-04-09 18:13:27 +10:00
c4ccb12ee4
- (dtucker) [configure.ac] Bug #1744 : use pkg-config for libedit flags if we
...
have it and the path is not provided to --with-libedit. Based on a patch
from Iain Morgan.
2010-04-09 14:04:35 +10:00
537d4dcfa0
- (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong
...
ones. Based on a patch from Roumen Petrov.
2010-04-09 13:35:23 +10:00
ce3754bbf3
- dtucker@cvs.openbsd.org 2010/03/26 01:06:13
...
[ssh_config.5]
Reformat default value of PreferredAuthentications entry (current
formatting implies ", " is acceptable as a separator, which it's not.
ok djm@
2010-03-26 12:09:13 +11:00
9c60f24f01
- djm@cvs.openbsd.org 2010/03/26 00:26:58
...
[ssh.1]
mention that -S none disables connection sharing; from Colin Watson
2010-03-26 11:28:35 +11:00
df08341060
- (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys;
...
bz#1723 patch from Adeodato Simó via Colin Watson; ok dtucker@
2010-03-26 11:18:27 +11:00
ffd1eaadb0
- (dtucker) Bug #1725 : explicitly link libX11 into gnome-ssh-askpass2 using
...
pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold).
2010-03-26 11:16:39 +11:00
6480c63b75
- (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721
...
ok dtucker@
2010-03-26 11:09:44 +11:00
8b90642fcf
- (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms -
...
set up SELinux execution context before chroot() call. From Russell
Coker via Colin watson; bz#1726 ok dtucker@
2010-03-26 11:04:09 +11:00
44451d0af8
- djm@cvs.openbsd.org 2010/03/25 23:38:28
...
[servconf.c]
from portable: getcwd(NULL, 0) doesn't work on all platforms, so
use a stack buffer; ok dtucker@
2010-03-26 10:40:04 +11:00
a83d90fbab
- (dtucker) [configure.ac] Bug #1741 : Add section for Haiku, patch originally
...
by Ingo Weinhold via Scott McCreary, ok djm@
2010-03-26 10:27:33 +11:00
7d09b8f8d9
- (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection
...
for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson
2010-03-26 08:52:02 +11:00
62131dc6e2
- (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory
...
containing the services file explicitely case-insensitive. This allows to
tweak the Windows services file reliably. Patch from vinschen at redhat.
2010-03-24 13:03:32 +11:00
b086d4ac70
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
...
[contrib/suse/openssh.spec] Crank version numbers
2010-03-22 06:11:55 +11:00
13a9f7247a
- djm@cvs.openbsd.org 2010/03/16 16:36:49
...
[version.h]
crank version to openssh-5.5 since we have a few fixes since 5.4;
requested deraadt@ kettenis@
2010-03-22 05:59:22 +11:00
33334b27bc
- stevesk@cvs.openbsd.org 2010/03/16 15:46:52
...
[auth-options.c]
spelling in error message. ok djm kettenis
2010-03-22 05:59:02 +11:00
1cfbfaf4a0
- stevesk@cvs.openbsd.org 2010/03/15 19:40:02
...
[key.c key.h ssh-keygen.c]
also print certificate type (user or host) for ssh-keygen -L
ok djm kettenis
2010-03-22 05:58:24 +11:00
5a5d94b12f
- jmc@cvs.openbsd.org 2010/03/13 23:38:13
...
[ssh-keygen.1]
fix a formatting error (args need quoted); noted by stevesk
2010-03-22 05:57:49 +11:00
1b61a2825e
- djm@cvs.openbsd.org 2010/03/13 21:45:46
...
[ssh-keygen.1]
Certificates are named *-cert.pub, not *_cert.pub; committing a diff
from stevesk@ ok me
2010-03-22 05:55:06 +11:00
8ddc71c13d
- djm@cvs.openbsd.org 2010/03/13 21:10:38
...
[clientloop.c]
protocol conformance fix: send language tag when disconnecting normally;
spotted by 1.41421 AT gmail.com, ok markus@ deraadt@
2010-03-22 05:54:02 +11:00
4a5f0d325b
- markus@cvs.openbsd.org 2010/03/12 11:37:40
...
[servconf.c]
do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths
free() (not xfree()) the buffer returned by getcwd()
2010-03-22 05:53:04 +11:00
c4cb47bc53
- djm@cvs.openbsd.org 2010/03/12 01:06:25
...
[servconf.c]
unbreak AuthorizedKeys option with a $HOME-relative path; reported by
vinschen AT redhat.com, ok dtucker@
2010-03-22 05:52:26 +11:00
e513a91195
- djm@cvs.openbsd.org 2010/03/10 23:27:17
...
[auth2-pubkey.c]
correct certificate logging and make it more consistent between
authorized_keys and TrustedCAKeys; ok markus@
2010-03-22 05:51:21 +11:00
77497e1318
- jmc@cvs.openbsd.org 2010/03/10 07:40:35
...
[ssh-keygen.1]
typos; from Ross Richardson
closes prs 6334 and 6335
2010-03-22 05:50:51 +11:00
c59e2443d3
- jmc@cvs.openbsd.org 2010/03/08 09:41:27
...
[ssh-keygen.1]
sort the list of constraints (to -O); ok djm
2010-03-22 05:50:31 +11:00
1f574b2546
- (djm) [Makefile.in] Respecify -lssh after -lopenbsd-compat for
...
ssh-pkcs11-helper to repair static builds (we do the same for
ssh-keyscan). Reported by felix-mindrot AT fefe.de
2010-03-14 08:41:34 +11:00
47f9a4106a
- (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix
...
compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot
AT fefe.de
2010-03-14 08:37:49 +11:00
4e0cea82dd
- (tim) [contrib/cygwin/Makefile] Fix list of documentation files to install
...
on a Cygwin installation. Patch from Corinna Vinschen.
2010-03-11 22:35:19 -08:00
ded8fa0bc9
- (tim) [Makefile.in] Add missing $(EXEEXT) to install targets.
...
Patch from Corinna Vinschen.
2010-03-11 22:32:02 -08:00
2bde3eec69
- (tim) [openssh/Makefile.in] Now that scard is gone, no need to
...
make $(datadir)
2010-03-11 22:18:13 -08:00
fa233ba73b
- (tim) [contrib/suse/openssh.spec] crank version number here too.
...
report by imorgan AT nas.nasa.gov
2010-03-10 16:12:02 -08:00
c9fe39b1a4
- (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO
...
so setting it in CFLAGS correctly skips IPv6 tests.
2010-03-09 20:42:30 +11:00
081c976e1c
- djm@cvs.openbsd.org 2010/03/08 00:28:55
...
[ssh-keygen.1]
document permit-agent-forwarding certificate constraint; patch from
stevesk@
2010-03-08 11:30:00 +11:00
958678726c
- (djm) Release OpenSSH-5.4p1
2010-03-08 09:50:17 +11:00
6bf31786cf
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
...
crank version numbers
2010-03-08 09:41:02 +11:00
3e1ee491f3
- djm@cvs.openbsd.org 2010/03/07 22:16:01
...
[ssh-keygen.c]
make internal strptime string match strftime format;
suggested by vinschen AT redhat.com and markus@
2010-03-08 09:24:11 +11:00
b3bc331e09
- (djm) OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2010/03/07 22:01:32
[version.h]
openssh-5.4
2010-03-08 09:03:33 +11:00
cd70e1b813
- dtucker@cvs.openbsd.org 2010/03/07 11:57:13
...
[auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c]
Hold authentication debug messages until after successful authentication.
Fixes an info leak of environment variables specified in authorized_keys,
reported by Jacob Appelbaum. ok djm@
2010-03-07 23:05:17 +11:00
ac0c4c9c1d
- (dtucker) [session.c] Also initialize creds to NULL for handing to
...
setpcred.
2010-03-07 13:32:16 +11:00
c738e6c646
- (dtucker) [session.c] Bug #1567 : move setpcred call to before chroot and
...
do not set real uid, since that's needed for the chroot, and will be set
by permanently_set_uid.
2010-03-07 13:21:12 +11:00
b3d20a3ff0
- (dtucker) [auth.c] Bug #1710 : call setauthdb on AIX before getpwuid so that
...
it gets the passwd struct from the LAM that knows about the user which is
not necessarily the default. Patch from Alexandre Letourneau.
2010-03-07 11:56:59 +11:00
5059d8d7e6
- djm@cvs.openbsd.org 2010/03/05 10:28:21
...
[ssh-add.1 ssh.1 ssh_config.5]
mention loading of certificate files from [private]-cert.pub when
they are present; feedback and ok jmc@
2010-03-05 21:31:11 +11:00
922b541329
- jmc@cvs.openbsd.org 2010/03/05 08:31:20
...
[ssh.1]
document certificate authentication; help/ok djm
2010-03-05 21:30:54 +11:00
98339054f9
- jmc@cvs.openbsd.org 2010/03/05 06:50:35
...
[ssh.1 sshd.8]
tweak previous;
2010-03-05 21:30:35 +11:00
9527f228ae
- (djm) [configure.ac] set -fno-strict-aliasing for gcc4; ok dtucker@
2010-03-05 15:04:35 +11:00
b068d0ad6d
- djm@cvs.openbsd.org 2010/03/05 02:58:11
...
[auth.c]
make the warning for a revoked key louder and more noticable
2010-03-05 14:03:03 +11:00
48b6021721
- (djm) [ssh-rand-helper.c] declare optind, avoiding compilation failure
...
on some platforms
2010-03-05 11:40:19 +11:00
689b872842
- djm@cvs.openbsd.org 2010/03/04 23:27:25
...
[auth-options.c ssh-keygen.c]
"force-command" is not spelled "forced-command"; spotted by
imorgan AT nas.nasa.gov
2010-03-05 10:42:24 +11:00
a7dab8bfe5
- djm@cvs.openbsd.org 2010/03/04 23:19:29
...
[ssh.1 sshd.8]
move section on CA and revoked keys from ssh.1 to sshd.8's known hosts
format section and rework it a bit; requested by jmc@
2010-03-05 10:42:05 +11:00
c6db99ec14
- djm@cvs.openbsd.org 2010/03/04 23:17:25
...
[sshd_config.5]
missing word; spotted by jmc@
2010-03-05 10:41:45 +11:00
8f6c337563
- jmc@cvs.openbsd.org 2010/03/04 22:52:40
...
[ssh-keygen.1]
fix Bk/Ek;
2010-03-05 10:41:26 +11:00
179eee081a
- (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older
...
compilers. OK djm@
2010-03-04 12:48:05 -08:00
f2b70cad75
- djm@cvs.openbsd.org 2010/03/04 20:35:08
...
[ssh-keygen.1 ssh-keygen.c]
Add a -L flag to print the contents of a certificate; ok markus@
2010-03-05 07:39:35 +11:00
72b33820af
- jmc@cvs.openbsd.org 2010/03/04 12:51:25
...
[ssh.1 sshd_config.5]
tweak previous;
2010-03-05 07:39:01 +11:00
700dcfa3e0
- djm@cvs.openbsd.org 2010/03/04 10:38:23
...
[regress/cert-hostkey.sh regress/cert-userkey.sh]
additional regression tests for revoked keys and TrustedUserCAKeys
2010-03-04 21:58:01 +11:00
017d1e777e
- djm@cvs.openbsd.org 2010/03/03 00:47:23
...
[regress/cert-hostkey.sh regress/cert-userkey.sh]
add an extra test to ensure that authentication with the wrong
certificate fails as it should (and it does)
2010-03-04 21:57:21 +11:00
1aed65eb27
- djm@cvs.openbsd.org 2010/03/04 10:36:03
...
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
[authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
[ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
are trusted to authenticate users (in addition than doing it per-user
in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to
known_hosts to allow keys to me revoked and banned for user or host
authentication.
feedback and ok markus@
2010-03-04 21:53:35 +11:00
2befbad9b3
- djm@cvs.openbsd.org 2010/03/04 01:44:57
...
[key.c]
use buffer_get_string_ptr_ret() where we are checking the return
value explicitly instead of the fatal()-causing buffer_get_string_ptr()
2010-03-04 21:52:18 +11:00
fe588e3c84
- djm@cvs.openbsd.org 2010/03/03 22:50:40
...
[PROTOCOL.certkeys]
s/similar same/similar/; from imorgan AT nas.nasa.gov
2010-03-04 21:52:00 +11:00
cd38c9c555
- djm@cvs.openbsd.org 2010/03/03 22:49:50
...
[sshd.8]
the authorized_keys option for CA keys is "cert-authority", not
"from=cert-authority". spotted by imorgan AT nas.nasa.gov
2010-03-04 21:51:37 +11:00
41396573af
- OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2010/03/03 01:44:36
[auth-options.c key.c]
reject strings with embedded ASCII nul chars in certificate key IDs,
principal names and constraints
2010-03-04 21:51:11 +11:00
e1abf4d6bc
- (djm) [regress/Makefile] Cleanup sshd_proxy_orig
2010-03-04 21:41:29 +11:00
d45f3b6cc7
- (djm) [.cvsignore] Ignore ssh-pkcs11-helper
2010-03-04 21:09:46 +11:00
661ffc1fd6
- (djm) [contrib/redhat/openssh.spec] Replace obsolete BuildPreReq
...
on XFree86-devel with neutral /usr/include/X11/Xlib.h;
imorgan AT nas.nasa.gov in bz#1731
2010-03-04 21:09:24 +11:00
910f209c1d
- (djm) [ssh-keygen.c] Use correct local variable, instead of
...
maybe-undefined global "optarg"
2010-03-04 14:17:22 +11:00
386dbc05e9
- (djm) [regress/cert-userkey.sh] s/echo -n/echon/ here too
2010-03-03 13:22:41 +11:00
fb84e5950e
- djm@cvs.openbsd.org 2010/03/02 23:20:57
...
[ssh-keygen.c]
POSIX strptime is stricter than OpenBSD's so do a little dance to
appease it.
2010-03-03 10:26:04 +11:00
0bd41861bb
- otto@cvs.openbsd.org 2010/03/01 11:07:06
...
[ssh-add.c]
zap what seems to be a left-over debug message; ok markus@
2010-03-03 10:25:41 +11:00
15f5b560b1
- jmc@cvs.openbsd.org 2010/02/26 22:09:28
...
[ssh-keygen.1 ssh.1 sshd.8]
tweak previous;
2010-03-03 10:25:21 +11:00
25b97dd454
- (djm) [PROTOCOL.certkeys] Add RCS Ident
2010-03-03 10:24:00 +11:00
c5b0cb3b7d
- (tim) [config.guess config.sub] Bug 1722: Update to latest versions from
...
http://git.savannah.gnu.org/gitweb/ (2009-12-30 and 2010-01-22
respectively).
2010-03-01 15:57:42 -08:00
9af0cb9acc
- (dtucker) [openbsd-compat/port-linux.c] Make failure to write to the OOM
...
adjust log at verbose only, since according to cjwatson in bug #1470
some virtualization platforms don't allow writes.
2010-03-01 15:52:49 +11:00
c614c78c53
- (dtucker) [regress/{cert-hostkey,cfgmatch,cipher-speed}.sh} Replace
...
"echo -n" with "echon" for portability.
2010-03-01 12:49:05 +11:00
bff24b8ad2
- (tim) [ssh-pkcs11-helper.c] Move declarations before calling functions
...
to make older compilers (gcc 2.95) happy.
2010-02-28 14:51:56 -08:00
acc9b29486
- (djm) [auth.c] On Cygwin, refuse usernames that have differences in
...
case from that matched in the system password database. On this
platform, passwords are stored case-insensitively, but sshd requires
exact case matching for Match blocks in sshd_config(5). Based on
a patch from vinschen AT redhat.com.
2010-03-01 04:36:54 +11:00
d05951fcee
- (djm) [openbsd-compat/bsd-cygwin_util.c] Reduce the set of environment
...
variables copied into sshd child processes. From vinschen AT redhat.com
2010-02-28 03:29:33 +11:00
09a24db2d7
- (djm) [ssh-pkcs11-helper.c ] Ensure RNG is initialised and seeded
2010-02-28 03:28:05 +11:00
58ac6de964
- djm@cvs.openbsd.org 2010/02/26 20:33:21
...
[Makefile regress/cert-hostkey.sh regress/cert-userkey.sh]
regression tests for certified keys
2010-02-27 07:57:12 +11:00
0a80ca190a
- OpenBSD CVS Sync
...
- djm@cvs.openbsd.org 2010/02/26 20:29:54
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
[auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
[hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
[myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
[ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
[sshconnect2.c sshd.8 sshd.c sshd_config.5]
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as sh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file
PROTOCOL.certkeys
feedback and ok markus@
2010-02-27 07:55:05 +11:00
d27d85d532
contrib/caldera/openssh.spec
...
contrib/redhat/openssh.spec
contrib/suse/openssh.spec
2010-02-24 18:21:45 +11:00
43001b3b3b
- (djm) [Makefile.in ssh-pkcs11-helper.8] Add manpage for PKCS#11 helper
2010-02-24 18:18:51 +11:00
cfa42d2fd2
- markus@cvs.openbsd.org 2010/02/08 10:52:47
...
[regress/agent-pkcs11.sh]
test for PKCS#11 support (currently disabled)
2010-02-24 17:31:20 +11:00
c1739211a6
- djm@cvs.openbsd.org 2010/02/24 06:21:56
...
[regress/test-exec.sh]
wait for sshd to fully stop in cleanup() function; avoids races in tests
that do multiple start_sshd/cleanup cycles; "I hate pidfiles" deraadt@
2010-02-24 17:29:34 +11:00
8f9492c90d
- djm@cvs.openbsd.org 2010/02/09 06:29:02
...
[regress/Makefile]
turn on all the malloc(3) checking options when running regression
tests. this has caught a few bugs for me in the past; ok dtucker@
2010-02-24 17:28:45 +11:00
bb4ae5583b
- djm@cvs.openbsd.org 2010/02/09 04:57:36
...
[regress/addrmatch.sh]
clean up droppings
2010-02-24 17:26:38 +11:00
0dff9c7e6d
- dtucker@cvs.openbsd.org 2010/01/11 02:53:44
...
[regress/forwarding.sh]
regress test for stdio forwarding
2010-02-24 17:25:58 +11:00
b6bd3c2ca8
- dtucker@cvs.openbsd.org 2009/11/09 04:20:04
...
[regress/Makefile]
add regression test for ssh-keygen pubkey conversions
2010-02-24 17:24:56 +11:00
a80f1404bb
- djm@cvs.openbsd.org 2010/02/11 20:37:47
...
[pathnames.h]
correct comment
2010-02-24 17:17:58 +11:00
05abd2c968
- (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
...
[ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable
2010-02-24 17:16:08 +11:00
b3c9f78711
- (djm) [configure.ac] Enable PKCS#11 support only when we find a working
...
dlopen()
2010-02-12 10:11:34 +11:00
dfa4156dbd
- (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
...
Use ssh_get_progname to fill __progname
2010-02-12 10:06:28 +11:00
8ad0fbd98e
- (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
...
Make it compile on OSX
2010-02-12 09:49:06 +11:00
d8f6002272
- (djm) [INSTALL Makefile.in README.smartcard configure.ac scard-opensc.c]
...
[scard.c scard.h pkcs11.h scard/Makefile.in scard/Ssh.bin.uu scard/Ssh.java]
Remove obsolete smartcard support
2010-02-12 09:34:22 +11:00
d400da5ba8
- jmc@cvs.openbsd.org 2010/02/11 13:23:29
...
[ssh.1]
libarary -> library;
2010-02-12 09:26:23 +11:00
a761844455
- markus@cvs.openbsd.org 2010/02/10 23:20:38
...
[ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5]
pkcs#11 is no longer optional; improve wording; ok jmc@
2010-02-12 09:26:02 +11:00
47cf16b8df
- djm@cvs.openbsd.org 2010/02/09 06:18:46
...
[auth.c]
unbreak ChrootDirectory+internal-sftp by skipping check for executable
shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
2010-02-12 09:25:29 +11:00
8922106fe9
- djm@cvs.openbsd.org 2010/02/09 03:56:28
...
[buffer.c buffer.h]
constify the arguments to buffer_len, buffer_ptr and buffer_dump
2010-02-12 09:23:40 +11:00
86cbb44d47
- djm@cvs.openbsd.org 2010/02/09 00:50:59
...
[ssh-keygen.c]
fix -Wall
2010-02-12 09:22:57 +11:00
Damien Miller
Tim Rice
Darren Tucker