the estimates from NIST Special Publication 800-57, 3k bits provides security
equivalent to 128 bits which is the smallest symmetric cipher we enable by
default. ok markus@ deraadt@
OpenBSD-Commit-ID: 461dd32ebe808f88f4fc3ec74749b0e6bef2276b
Don't call OpenSSL_add_all_algorithms() unless OpenSSL actually
supports it.
Move all libcrypto initialisation to a single function, and call that
from seed_rng() that is called early in each tool's main().
Prompted by patch from Rosen Penev
- Removed #ifdef WINDOWS blocks in base code where the feature support can be conveyed by a failed POSIX API call
- Refactored password authentication code
- Other misc changes - Removed DebugBreak on Release Builds
suported by OpenSSH >= 6.5 (released January 2014), so it should be supported
by most OpenSSH versions in active use.
It is possible to convert new-format private keys to the older
format using "ssh-keygen -f /path/key -pm PEM".
ok deraadt dtucker
OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8
- Logic to support conpty (currently disabled until validation is complete)
- fdopen() and fchmod() support for file handles
- support for auto updating known_hosts via ssh and ssh-keygen
- Support for dynamic Windows-size changes with PTY
- Changes to support OneCore SDK
- Test cases
known_hosts entries in a single operation (ssh-keygen -HF hostname); bz2772
Report and fix from Anton Kremenetsky
OpenBSD-Commit-ID: ac10ca13eb9bb0bc50fcd42ad11c56c317437b58
Refuse to create a certificate with an unusable number of
principals; Prompted by gdestuynder via github
OpenBSD-Commit-ID: 8cfae2451e8f07810e3e2546dfdcce66984cbd29
fatal if we're unable to write all the public key; previously
we would silently ignore errors writing the comment and terminating newline.
Prompted by github PR from WillerZ; ok dtucker
OpenBSD-Commit-ID: 18fbfcfd4e8c6adbc84820039b64d70906e49831
Remove some #ifdef notyet code from OpenSSL 0.9.8 days.
These functions have never appeared in OpenSSL and are likely never to do
so.
"kill it with fire" djm@
OpenBSD-Commit-ID: fee9560e283fd836efc2631ef381658cc673d23e
pass negotiated signing algorithm though to
sshkey_verify() and check that the negotiated algorithm matches the type in
the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9
allow certificate validity intervals that specify only a
start or stop time (we already support specifying both or neither)
OpenBSD-Commit-ID: 9be486545603c003030bdb5c467d1318b46b4e42
When generating all hostkeys (ssh-keygen -A), clobber
existing keys if they exist but are zero length. zero-length keys could
previously be made if ssh-keygen failed part way through generating them, so
avoid that case too. bz#2561 reported by Krzysztof Cieplucha; ok dtucker@
Upstream-ID: f662201c28ab8e1f086b5d43c59cddab5ade4044
remove post-SSHv1 removal dead code from rsa.c and merge
the remaining bit that it still used into ssh-rsa.c; ok markus
Upstream-ID: ac8a048d24dcd89594b0052ea5e3404b473bfa2f
Allow ssh-keygen to use a key held in ssh-agent as a CA when
signing certificates. bz#2377 ok markus
Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
Refuse RSA keys <1024 bits in length. Improve reporting
for keys that do not meet this requirement. ok markus@
Upstream-ID: b385e2a7b13b1484792ee681daaf79e1e203df6c
1. Add file permission check when load or add ssh_config, authorized_keys, private keys, host keys,.
2. set the owner and ACE for create secure file, ex, private key in ssh-keygen.exe
3. Update script OpenSSHTestHelper.psm1 to be able to run Install-OpenSSH if the sshd is running on the machine.
4. add OpenSSHBinPath to path.
5. change indents in agentconfig.c
6. update test script to represent the changes
7. Add tests for:
* authorized_keys and ssh-keygen testing
* host keys file perm testing
* user private key file perm testing
* ssh-add test
* user ssh_config
allow ssh-keygen to include arbitrary string or flag
certificate extensions and critical options. ok markus@ dtucker@
Upstream-ID: 2cf28dd6c5489eb9fc136e0b667ac3ea10241646
