Commit Graph

6671 Commits

Author SHA1 Message Date
Damien Miller 9fec296b0a - (djm) [regress/Makefile regress/integrity.sh] Make the integrity.sh test
work on platforms without 'jot'
2012-12-12 12:10:10 +11:00
Damien Miller 37834afe7b - (djm) [mac.c] fix merge botch 2012-12-12 11:00:37 +11:00
Damien Miller ec7ce9ace4 - markus@cvs.openbsd.org 2012/12/11 23:12:13
[try-ciphers.sh]
     add hmac-ripemd160-etm@openssh.com
2012-12-12 10:55:32 +11:00
Damien Miller 1fb593a3f1 - markus@cvs.openbsd.org 2012/12/11 22:42:11
[regress/Makefile regress/modpipe.c regress/integrity.sh]
     test the integrity of the packets; with djm@
2012-12-12 10:54:37 +11:00
Damien Miller 1a45b63d7b - markus@cvs.openbsd.org 2012/12/11 22:32:56
[regress/try-ciphers.sh]
     add etm modes
2012-12-12 10:52:07 +11:00
Damien Miller 74f13bdf26 - sthen@cvs.openbsd.org 2012/12/11 22:51:45
[mac.c]
     fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@
2012-12-12 10:46:53 +11:00
Damien Miller af43a7ac2d - markus@cvs.openbsd.org 2012/12/11 22:31:18
[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
     [packet.c ssh_config.5 sshd_config.5]
     add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
     that change the packet format and compute the MAC over the encrypted
     message (including the packet size) instead of the plaintext data;
     these EtM modes are considered more secure and used by default.
     feedback and ok djm@
2012-12-12 10:46:31 +11:00
Damien Miller 6a1937eac5 - markus@cvs.openbsd.org 2012/12/11 22:16:21
[monitor.c]
     drain the log messages after receiving the keystate from the unpriv
     child. otherwise it might block while sending. ok djm@
2012-12-12 10:44:38 +11:00
Darren Tucker 3e1027cd1f - dtucker@cvs.openbsd.org 2012/12/07 01:51:35
[serverloop.c]
     Cast signal to int for logging.  A no-op on openbsd (they're always ints)
     but will prevent warnings in portable.  ok djm@
2012-12-07 13:07:46 +11:00
Darren Tucker 8a96522482 - markus@cvs.openbsd.org 2012/12/05 15:42:52
[ssh-add.c]
     prevent double-free of comment; ok djm@
2012-12-07 13:07:02 +11:00
Darren Tucker f9333d5246 - jmc@cvs.openbsd.org 2012/12/03 08:33:03
[ssh-add.1 sshd_config.5]
     tweak previous;
2012-12-07 13:06:13 +11:00
Darren Tucker 3dfb877046 - dtucker@cvs.openbsd.org 2012/12/06 06:06:54
[regress/keys-command.sh]
     Fix some problems with the keys-command test:
      - use string comparison rather than numeric comparison
      - check for existing KEY_COMMAND file and don't clobber if it exists
      - clean up KEY_COMMAND file if we do create it.
      - check that KEY_COMMAND is executable (which it won't be if eg /var/run
        is mounted noexec).
     ok djm.
2012-12-07 13:03:10 +11:00
Tim Rice 96ce9a1e45 20121205
- (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@.
2012-12-04 07:50:03 -08:00
Damien Miller 8b48982a56 - (djm) [configure.ac] Revert previous. configure.ac already does this
for us.
2012-12-03 12:35:55 +11:00
Damien Miller 03af12e930 - (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installation
debugging. ok dtucker@
2012-12-03 11:55:53 +11:00
Damien Miller 55aca027ed - djm@cvs.openbsd.org 2012/12/03 00:14:06
[auth2-chall.c ssh-keygen.c]
     Fix compilation with -Wall -Werror (trivial type fixes)
2012-12-03 11:25:30 +11:00
Damien Miller 999bd2d259 - djm@cvs.openbsd.org 2012/12/02 20:47:48
[Makefile regress/forward-control.sh]
     regress for AllowTcpForwarding local/remote; ok markus@
2012-12-03 10:13:39 +11:00
Damien Miller 771c43cee6 - djm@cvs.openbsd.org 2012/11/22 22:49:30
[regress/Makefile regress/keys-command.sh]
     regress for AuthorizedKeysCommand; hints from markus@
2012-12-03 10:12:13 +11:00
Damien Miller 6618e92509 - djm@cvs.openbsd.org 2012/10/19 05:10:42
[regress/cert-userkey.sh]
     include a serial number when generating certs
2012-12-03 10:09:04 +11:00
Damien Miller fa51d8b6b2 - dtucker@cvs.openbsd.org 2012/10/05 02:20:48
[regress/cipher-speed.sh regress/try-ciphers.sh]
     Add umac-128@openssh.com to the list of MACs to be tested
2012-12-03 10:08:25 +11:00
Damien Miller d27a026ab7 - dtucker@cvs.openbsd.org 2012/10/05 02:05:30
[regress/multiplex.sh]
     Use 'kill -0' to test for the presence of a pid since it's more portable
2012-12-03 10:06:37 +11:00
Damien Miller 15b05cfa17 - djm@cvs.openbsd.org 2012/12/02 20:34:10
[auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c]
     [monitor.c monitor.h]
     Fixes logging of partial authentication when privsep is enabled
     Previously, we recorded "Failed xxx" since we reset authenticated before
     calling auth_log() in auth2.c. This adds an explcit "Partial" state.

     Add a "submethod" to auth_log() to report which submethod is used
     for keyboard-interactive.

     Fix multiple authentication when one of the methods is
     keyboard-interactive.

     ok markus@
2012-12-03 09:53:20 +11:00
Damien Miller aa5b3f8314 - djm@cvs.openbsd.org 2012/12/02 20:46:11
[auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
     [sshd_config.5]
     make AllowTcpForwarding accept "local" and "remote" in addition to its
     current "yes"/"no" to allow the server to specify whether just local or
     remote TCP forwarding is enabled. ok markus@
2012-12-03 09:50:54 +11:00
Damien Miller 33a813613a - djm@cvs.openbsd.org 2012/12/02 20:42:15
[ssh-add.1 ssh-add.c]
     make deleting explicit keys "ssh-add -d" symmetric with adding keys -
     try to delete the corresponding certificate too and respect the -k option
     to allow deleting of the key only; feedback and ok markus@
2012-12-03 09:50:24 +11:00
Damien Miller cb6b68b209 - djm@cvs.openbsd.org 2012/12/02 20:26:11
[ssh_config.5 sshconnect2.c]
     Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
     This allows control of which keys are offered from tokens using
     IdentityFile. ok markus@
2012-12-03 09:49:52 +11:00
Damien Miller cf6ef137b5 - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get
TAILQ_FOREACH_SAFE needed for upcoming changes.
2012-12-03 09:37:56 +11:00
Damien Miller 6f3b362fa8 - djm@cvs.openbsd.org 2012/11/14 02:32:15
[ssh-keygen.c]
     allow the full range of unsigned serial numbers; 'fine' deraadt@
2012-11-14 19:04:33 +11:00
Damien Miller 1e85469fcb - djm@cvs.openbsd.org 2012/11/14 02:24:27
[auth2-pubkey.c]
     fix username passed to helper program
     prepare stdio fds before closefrom()

     spotted by landry@
2012-11-14 19:04:02 +11:00
Damien Miller 0120c41d6b - jmc@cvs.openbsd.org 2012/09/26 17:34:38
[moduli.5]
     last stage of rfc changes, using consistent Rs/Re blocks, and moving the
     references into a STANDARDS section;
2012-11-07 08:36:00 +11:00
Damien Miller d5c3d4c0ca - eric@cvs.openbsd.org 2011/11/28 08:46:27
[moduli.5]
     fix formula
     ok djm@
2012-11-07 08:35:38 +11:00
Darren Tucker 737f7aff36 - (dtucker) [auth2-pubkey.c] wrap paths.h in an ifdef for platforms that
don't have it.  Spotted by tim@.
2012-11-05 17:07:43 +11:00
Darren Tucker f96ff18a92 - (dtucker) [uidswap.c openbsd-compat/Makefile.in
openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h
   openbsd-compat/openbsd-compat.h]  Move the fallback code for setting uids
   and gids from uidswap.c to the compat library, which allows it to work with
   the new setresuid calls in auth2-pubkey.  with tim@, ok djm@
2012-11-05 17:04:37 +11:00
Damien Miller a6e3f01d1e - djm@cvs.openbsd.org 2012/11/04 11:09:15
[auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c]
     [sshd_config.5]
     Support multiple required authentication via an AuthenticationMethods
     option. This option lists one or more comma-separated lists of
     authentication method names. Successful completion of all the methods in
     any list is required for authentication to complete;
     feedback and ok markus@
2012-11-04 23:21:40 +11:00
Damien Miller d0d1099b3b - djm@cvs.openbsd.org 2012/11/04 10:38:43
[auth2-pubkey.c sshd.c sshd_config.5]
     Remove default of AuthorizedCommandUser. Administrators are now expected
     to explicitly specify a user. feedback and ok markus@
2012-11-04 22:23:14 +11:00
Damien Miller f33580eed0 - OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2012/10/31 08:04:50
     [sshd_config.5]
     tweak previous;
2012-11-04 22:22:52 +11:00
Damien Miller 09d3e12512 - djm@cvs.openbsd.org 2012/10/30 21:29:55
[auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h]
     [sshd.c sshd_config sshd_config.5]
     new sshd_config option AuthorizedKeysCommand to support fetching
     authorized_keys from a command in addition to (or instead of) from
     the filesystem. The command is run as the target server user unless
     another specified via a new AuthorizedKeysCommandUser option.

     patch originally by jchadima AT redhat.com, reworked by me; feedback
     and ok markus@
2012-10-31 08:58:58 +11:00
Damien Miller 07daed505f - (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2012/10/05 12:34:39
     [sftp.c]
     fix signed vs unsigned warning; feedback & ok: djm@
2012-10-31 08:57:55 +11:00
Tim Rice c0e5cbe222 - (tim) [buildpkg.sh.in] Double up on some backslashes so they end up in
the generated file as intended.
2012-10-18 21:38:58 -07:00
Darren Tucker cc8e9ffdd1 - [Makefile.in] "Using $< in a non-suffix rule context is a GNUmake idiom" 2012-10-05 15:41:06 +10:00
Darren Tucker 50ce447ef9 - [umac.c] Enforce allowed umac output sizes. From djm@. 2012-10-05 12:11:33 +10:00
Darren Tucker ee4ad778d7 - dtucker@cvs.openbsd.org 2012/09/10 01:51:19
[regress/multiplex.sh]
     use -Ocheck and waiting for completions by PID to make multiplexing test
     less racy and (hopefully) more reliable on slow hardware.
2012-10-05 12:04:10 +10:00
Darren Tucker 9b2c0360cf - dtucker@cvs.openbsd.org 2012/09/10 00:49:21
[regress/multiplex.sh]
     Log -O cmd output to the log file and make logging consistent with the
     other tests.  Test clean shutdown of an existing channel when testing
     "stop".
2012-10-05 11:45:39 +10:00
Darren Tucker 6fc5aa8b2e - dtucker@cvs.openbsd.org 2012/09/09 11:51:25
[multiplex.sh]
     Add test for ssh -Ostop
2012-10-05 11:43:57 +10:00
Darren Tucker 189e5bad5c - dtucker@cvs.openbsd.org 2012/09/06 04:11:07
[regress/try-ciphers.sh]
     Restore missing space.  (Id sync only).
2012-10-05 11:41:52 +10:00
Darren Tucker 992faad1f1 - [Makefile umac.c] Add special-case target to build umac128.o. 2012-10-05 11:38:24 +10:00
Darren Tucker 7f93315c3a remove stray '+' from sync 2012-10-05 11:23:59 +10:00
Darren Tucker 427e409e99 - markus@cvs.openbsd.org 2012/10/04 13:21:50
[myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c]
     add umac128 variant; ok djm@ at n2k12
     (note: further Makefile work is required)
2012-10-05 11:02:39 +10:00
Darren Tucker 0dc283b13a - djm@cvs.openbsd.org 2012/10/02 07:07:45
[ssh-keygen.c]
     fix -z option, broken in revision 1.215
2012-10-05 10:52:51 +10:00
Darren Tucker 3a7c04105a - naddy@cvs.openbsd.org 2012/10/01 13:59:51
[monitor_wrap.c]
     pasto; ok djm@
2012-10-05 10:51:59 +10:00
Darren Tucker 628a3fdce2 - jmc@cvs.openbsd.org 2012/09/26 16:12:13
[ssh.1]
     last stage of rfc changes, using consistent Rs/Re blocks, and moving the
     references into a STANDARDS section;
2012-10-05 10:50:15 +10:00