#
296853 |
|
14-Mar-2016 |
des |
MFS (r296781): MFH (r296633): upgrade to 7.2p2 (fixes xauth command injection bug) MFH (r296634): re-add aes-cbc to server-side default cipher list MFH (r296651, r296657): fix gcc build of pam_ssh
PR: 207679 Security: CVE-2016-3115 Approved by: re (marius)
|
#
296853 |
|
14-Mar-2016 |
des |
MFS (r296781): MFH (r296633): upgrade to 7.2p2 (fixes xauth command injection bug) MFH (r296634): re-add aes-cbc to server-side default cipher list MFH (r296651, r296657): fix gcc build of pam_ssh
PR: 207679 Security: CVE-2016-3115 Approved by: re (marius) |
#
296373 |
|
04-Mar-2016 |
marius |
- Copy stable/10@296371 to releng/10.3 in preparation for 10.3-RC1 builds. - Update newvers.sh to reflect RC1. - Update __FreeBSD_version to reflect 10.3. - Update default pkg(8) configuration to use the quarterly branch.
Approved by: re (implicit) |
#
295367 |
|
07-Feb-2016 |
des |
MFH (r265214, r294333, r294407, r294467): misc prop fixes MFH (r285975, r287143): register mergeinfo for security fixes MFH (r294497, r294498, r295139): internal documentation MFH (r294328): upgrade to openssh 6.7p1, re-add libwrap MFH (r294332): upgrade to openssh 6.8p1 MFH (r294367): update pam_ssh for api changes MFH (r294909): switch usedns back on MFH (r294336): upgrade to openssh 6.9p1 MFH (r294495): re-enable dsa keys MFH (r294464): upgrade to openssh 7.0p1 MFH (r294496): upgrade to openssh 7.1p2
Approved by: re (gjb) Relnotes: yes
|
#
256281 |
|
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
#
236106 |
|
26-May-2012 |
des |
Passing NULL as a key casues a segfault when loading SSH 1 keys. Use an empty string instead.
|
#
227757 |
|
20-Nov-2011 |
des |
key_load_private() ignores the passphrase argument if the private key is unencrypted. This defeats the nullok check, because it means a non-null passphrase will successfully unlock the key.
To address this, try at first to load the key without a passphrase. If this succeeds and the user provided a non-empty passphrase *or* nullok is false, reject the key.
MFC after: 1 week Noticed by: Guy Helmer <guy.helmer@palisadesystems.com>
|
#
226101 |
|
07-Oct-2011 |
des |
Load the ECDSA key if there is one.
MFC after: 1 week
|
#
219426 |
|
09-Mar-2011 |
des |
No newline required.
MFC after: 2 weeks
|
#
204917 |
|
09-Mar-2010 |
des |
Upgrade to OpenSSH 5.4p1.
MFC after: 1 month
|
#
174837 |
|
21-Dec-2007 |
des |
Adjust for OpenPAM Hydrangea.
|
#
162900 |
|
30-Sep-2006 |
ru |
Fix build.
|
#
150596 |
|
26-Sep-2005 |
des |
Correct the logic for determining whether the user has already entered a password. Also, work around some harmless type pun warnings.
MFC after: 3 days
|
#
150455 |
|
22-Sep-2005 |
des |
Do not use passphraseless keys for authentication unless the nullok option was specified.
PR: bin/81231 Submitted by: "Daniel O'Connor" <doconnor@gsoft.com.au> MFC after: 3 days
|
#
150426 |
|
21-Sep-2005 |
des |
Narrow the use of user credentials. Fix one case where openpam_restore_cred() might be called twice in a row.
MFC after: 3 days
|
#
125650 |
|
10-Feb-2004 |
des |
Fix numerous constness and aliasing issues.
|
#
120231 |
|
19-Sep-2003 |
des |
Ignore ECHILD from waitpid(2) (our child may have been reaped by the calling process's SIGCHLD handler)
PR: bin/45669
|
#
110653 |
|
10-Feb-2003 |
des |
Use pam_get_user(3) instead of pam_get_item(3) where appropriate.
|
#
110598 |
|
09-Feb-2003 |
des |
Complete rewrite of pam_ssh(8). The previous version was becoming hard to maintain, and had security issues which would have required a major rewrite to address anyway.
This implementation currently starts a separate agent for each session instead of connecting each new session to the agent started by the first one. While this would be a Good Thing (and the old pam_ssh(8) tried to do it), it's hard to get right. I'll revisit this issue when I've had a chance to test some modifications to ssh-agent(1).
|
#
107934 |
|
16-Dec-2002 |
des |
Merge in most non-style differences from Andrew Korty's pam_ssh 1.7.
|
#
94564 |
|
12-Apr-2002 |
des |
Major cleanup:
- add __unused where appropriate - PAM_RETURN -> return since OpenPAM already logs the return value. - make PAM_LOG use openpam_log() - make PAM_VERBOSE_ERROR use openpam_get_option() and check flags for PAM_SILENT - remove dummy functions since OpenPAM handles missing service functions - fix various warnings
Sponsored by: DARPA, NAI Labs
|
#
94217 |
|
08-Apr-2002 |
des |
Remove debugging code that was inadvertantly brought in by previous commit.
|
#
94216 |
|
08-Apr-2002 |
des |
Use OpenPAM's credential switching functions.
Sponsored by: DARPA, NAI Labs
|
#
93984 |
|
06-Apr-2002 |
des |
Aggressive cleanup of warnings + authtok-related code in preparation for PAMifying passwd(1).
Sponsored by: DARPA, NAI Labs.
|
#
93907 |
|
05-Apr-2002 |
des |
Remove some duplicate free()s and add some that were missing.
Submitted by: tmm
|
#
93875 |
|
05-Apr-2002 |
des |
pam_get_pass() -> pam_get_authtok()
|
#
93804 |
|
04-Apr-2002 |
des |
Upgrade to something quite close, but not identical, to version 1.6 of Andrew Korty's pam_ssh. The most notable difference is that this uses commas rather than colons to separate items in the "keyfiles" option.
Sponsored by: DARPA, NAI Labs
|
#
92297 |
|
14-Mar-2002 |
des |
NAI DBA update.
|
#
91714 |
|
05-Mar-2002 |
des |
Switch to OpenPAM. Bump library version. Modules are now versioned, so applications linked with Linux-PAM will still work. Remove pam_get_pass(); OpenPAM has pam_get_authtok(). Remove pam_prompt(); OpenPAM has pam_{,v}{error,info,prompt}(). Remove pam_set_item(3) man page as OpenPAM has its own.
Sponsored by: DARPA, NAI Labs
|
#
90229 |
|
05-Feb-2002 |
des |
#include cleanup.
Sponsored by: DARPA, NAI Labs
|
#
90195 |
|
04-Feb-2002 |
des |
ssh_get_authentication_connection() gets its parameters from environment variables, so temporarily switch to the PAM environment before calling it.
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
|
#
89760 |
|
24-Jan-2002 |
markm |
WARNS=4 fixes. Protect with NO_WERROR for the modules that have warnings that are hard to fix or that I've been asked to leave alone.
|
#
89753 |
|
24-Jan-2002 |
des |
PAM modules shouldn't call putenv(); pam_putenv() is sufficient. The caller is supposed to check the PAM envlist and export the variables it contains; if it doesn't, it's broken.
Sponsored by: DARPA, NAI Labs
|
#
89703 |
|
23-Jan-2002 |
ru |
Make libssh.so useable (undefined reference to IPv4or6).
Reviewed by: des, markm Approved by: markm
|
#
87564 |
|
09-Dec-2001 |
des |
Back out previous commit.
Requested by: ru
|
#
87488 |
|
07-Dec-2001 |
des |
Get pam_mod_misc.h from .CURDIR rather than .OBJDIR or /usr/include.
Sponsored by: DARPA, NAI Labs
|
#
87398 |
|
05-Dec-2001 |
des |
Add dummy functions for all module types. These dummies return PAM_IGNORE rather than PAM_SUCCESS, so you'll get a failure if you list dummies but no real modules for a particular module chain.
Sponsored by: DARPA, NAI Labs
|
#
87098 |
|
29-Nov-2001 |
green |
Fix pam_ssh by adding an IPv4or6 (evidently, this was broken by my last OpenSSH import) declaration and strdup(3)ing a value which is later free(3)d, rather than letting the system try to free it invalidly.
|
#
84218 |
|
30-Sep-2001 |
dillon |
Add __FBSDID()s to libpam
|
#
81527 |
|
11-Aug-2001 |
markm |
Fix:
/usr/src/lib/libpam/modules/pam_ssh/pam_ssh.c has couple of bugs which cause:
1) xdm dumps core 2) ssh1 private key is not passed to ssh-agent 3) ssh2 RSA key seems not handled properly (just a guess from source) 4) ssh_get_authentication_connectionen() fails to get connection because of SSH_AUTH_SOCK not defined.
PR: 29609 Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
|
#
81476 |
|
10-Aug-2001 |
markm |
Code clean up; make logging same as other modules and fix warnings.
|
#
81143 |
|
04-Aug-2001 |
markm |
Fix style/consistency in Makefile and repair static module building.
Submitted by: bde(partially)
|
#
81036 |
|
02-Aug-2001 |
markm |
Repair the get/set UID() stuff so this works in both su(1) and login(1) modes.
|
#
80542 |
|
29-Jul-2001 |
markm |
(Re)Add an SSH module for PAM, heavily based on Andrew Korty's module from ports.
|
#
69590 |
|
05-Dec-2000 |
green |
Forgot to remove the old line in the last commit.
|
#
69130 |
|
25-Nov-2000 |
green |
In env_destroy(), it is a bad idea to env_swap(self, 0) to switch back to the original environ unconditionally. The setting of the variable to save the previous environ is conditional; it happens when ENV.e_committed is set. Therefore, don't try to swap the env back unless the previous env has been initialized.
PR: bin/22670 Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
|
#
69129 |
|
25-Nov-2000 |
billf |
Correct an arguement to ssh_add_identity, this matches what is currently in ports/security/openssh/files/pam_ssh.c
PR: 22164 Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp> Reviewed by: green Approved by: green
|
#
61087 |
|
30-May-2000 |
kris |
Update to the version of pam_ssh corresponding to OpenSSH 2.1 (taken from the openssh port)
Submitted by: Hajimu UMEMOTO <ume@mahoroba.org>
|
#
60938 |
|
26-May-2000 |
jake |
Back out the previous change to the queue(3) interface. It was not discussed and should probably not happen.
Requested by: msmith and others
|
#
60833 |
|
23-May-2000 |
jake |
Change the way that the queue(3) structures are declared; don't assume that the type argument to *_HEAD and *_ENTRY is a struct.
Suggested by: phk Reviewed by: phk Approved by: mdodd
|
#
58772 |
|
29-Mar-2000 |
kris |
Fix a memory leak.
PR: 17360 Submitted by: Andrew J. Korty <ajk@iu.edu>
|
#
57496 |
|
26-Feb-2000 |
peter |
Redo this with a repo copy from the original file and reset the __PREFIX__ markers.
|
#
55166 |
|
28-Dec-1999 |
green |
Upgrade to the pam_ssh module, version 1.1..
(From the author:) Primarily, I have added built-in functions for manipulating the environment, so putenv() is no longer used. XDM and its variants should now work without modification. Note that the new code uses the macros in <sys/queue.h>.
Submitted by: Andrew J. Korty <ajk@iu.edu>
|
#
53874 |
|
29-Nov-1999 |
green |
Add the PAM SSH RSA key authentication module. For example, you can add, "login auth sufficient pam_ssh.so" to your /etc/pam.conf, and users with a ~/.ssh/identity can login(1) with their SSH key :)
PR: 15158 Submitted by: Andrew J. Korty <ajk@waterspout.com> Reviewed by: obrien
|