#
1.161 |
|
17-May-2024 |
djm |
Start the process of splitting sshd into separate binaries. This step splits sshd into a listener and a session binary. More splits are planned.
After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs.
This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary.
feedback/ok markus@ deraadt@
NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out.
|
Revision tags: OPENBSD_7_3_BASE OPENBSD_7_4_BASE OPENBSD_7_5_BASE
|
#
1.160 |
|
05-Mar-2023 |
dtucker |
Remove unused compat.h includes. We've previously removed a lot of the really old compatibility code, and with it went the need to include compat.h in most of the files that have it.
|
#
1.159 |
|
09-Dec-2022 |
dtucker |
Add some server debugging for hostbased auth.
auth_debug_add queues messages about the auth process which is sent to the client after successful authentication. This also sends those to the server debug log to aid in debugging. From bz#3507, ok djm@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.158 |
|
03-Jun-2022 |
djm |
move auth_openprincipals() and auth_openkeyfile() over to auth2-pubkeyfile.c too; they make more sense there.
|
#
1.157 |
|
27-May-2022 |
djm |
split the low-level file handling functions out from auth2-pubkey.c
Put them in a new auth2-pubkeyfile.c to make it easier to refer to them (e.g. in unit/fuzz tests) without having to refer to everything else pubkey auth brings in.
ok dtucker@
|
#
1.156 |
|
27-May-2022 |
djm |
refactor authorized_keys/principals handling
remove "struct ssh *" from arguments - this was only used to pass the remote host/address. These can be passed in instead and the resulting code is less tightly coupled to ssh_api.[ch]
ok dtucker@
|
#
1.155 |
|
26-Apr-2022 |
dtucker |
Check sshauthopt_new() for NULL. bz#3425, from tessgauthier at microsoft.com. ok djm@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.154 |
|
23-Feb-2022 |
djm |
randomise the password used in fakepw
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.153 |
|
05-Jul-2021 |
dtucker |
Remove comment referencing now-removed RhostsRSAAuthentication. ok djm@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.152 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.151 |
|
22-Dec-2020 |
djm |
move subprocess() from auth.c to misc.c
make privilege dropping optional but allow it via callbacks (to avoid need to link uidswap.c everywhere)
add some other flags (keep environment, disable strict path safety check) that make this more useful for client-side use.
feedback & ok markus@
|
#
1.150 |
|
20-Dec-2020 |
djm |
load_hostkeys()/hostkeys_foreach() variants for FILE*
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line structs that is passed directly from the load_hostkeys() and hostkeys_foreach() call. This is a lightweight way to annotate results between different invocations of load_hostkeys().
ok markus@
|
#
1.149 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.148 |
|
16-Oct-2020 |
djm |
LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern- lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.147 |
|
27-Aug-2020 |
djm |
branches: 1.147.4; support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.146 |
|
31-Jan-2020 |
djm |
Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
|
#
1.145 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.144 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.160 |
|
05-Mar-2023 |
dtucker |
Remove unused compat.h includes. We've previously removed a lot of the really old compatibility code, and with it went the need to include compat.h in most of the files that have it.
|
#
1.159 |
|
09-Dec-2022 |
dtucker |
Add some server debugging for hostbased auth.
auth_debug_add queues messages about the auth process which is sent to the client after successful authentication. This also sends those to the server debug log to aid in debugging. From bz#3507, ok djm@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.158 |
|
03-Jun-2022 |
djm |
move auth_openprincipals() and auth_openkeyfile() over to auth2-pubkeyfile.c too; they make more sense there.
|
#
1.157 |
|
27-May-2022 |
djm |
split the low-level file handling functions out from auth2-pubkey.c
Put them in a new auth2-pubkeyfile.c to make it easier to refer to them (e.g. in unit/fuzz tests) without having to refer to everything else pubkey auth brings in.
ok dtucker@
|
#
1.156 |
|
27-May-2022 |
djm |
refactor authorized_keys/principals handling
remove "struct ssh *" from arguments - this was only used to pass the remote host/address. These can be passed in instead and the resulting code is less tightly coupled to ssh_api.[ch]
ok dtucker@
|
#
1.155 |
|
26-Apr-2022 |
dtucker |
Check sshauthopt_new() for NULL. bz#3425, from tessgauthier at microsoft.com. ok djm@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.154 |
|
23-Feb-2022 |
djm |
randomise the password used in fakepw
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.153 |
|
05-Jul-2021 |
dtucker |
Remove comment referencing now-removed RhostsRSAAuthentication. ok djm@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.152 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.151 |
|
22-Dec-2020 |
djm |
move subprocess() from auth.c to misc.c
make privilege dropping optional but allow it via callbacks (to avoid need to link uidswap.c everywhere)
add some other flags (keep environment, disable strict path safety check) that make this more useful for client-side use.
feedback & ok markus@
|
#
1.150 |
|
20-Dec-2020 |
djm |
load_hostkeys()/hostkeys_foreach() variants for FILE*
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line structs that is passed directly from the load_hostkeys() and hostkeys_foreach() call. This is a lightweight way to annotate results between different invocations of load_hostkeys().
ok markus@
|
#
1.149 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.148 |
|
16-Oct-2020 |
djm |
LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern- lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.147 |
|
27-Aug-2020 |
djm |
branches: 1.147.4; support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.146 |
|
31-Jan-2020 |
djm |
Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
|
#
1.145 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.144 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.159 |
|
09-Dec-2022 |
dtucker |
Add some server debugging for hostbased auth.
auth_debug_add queues messages about the auth process which is sent to the client after successful authentication. This also sends those to the server debug log to aid in debugging. From bz#3507, ok djm@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.158 |
|
03-Jun-2022 |
djm |
move auth_openprincipals() and auth_openkeyfile() over to auth2-pubkeyfile.c too; they make more sense there.
|
#
1.157 |
|
27-May-2022 |
djm |
split the low-level file handling functions out from auth2-pubkey.c
Put them in a new auth2-pubkeyfile.c to make it easier to refer to them (e.g. in unit/fuzz tests) without having to refer to everything else pubkey auth brings in.
ok dtucker@
|
#
1.156 |
|
27-May-2022 |
djm |
refactor authorized_keys/principals handling
remove "struct ssh *" from arguments - this was only used to pass the remote host/address. These can be passed in instead and the resulting code is less tightly coupled to ssh_api.[ch]
ok dtucker@
|
#
1.155 |
|
26-Apr-2022 |
dtucker |
Check sshauthopt_new() for NULL. bz#3425, from tessgauthier at microsoft.com. ok djm@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.154 |
|
23-Feb-2022 |
djm |
randomise the password used in fakepw
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.153 |
|
05-Jul-2021 |
dtucker |
Remove comment referencing now-removed RhostsRSAAuthentication. ok djm@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.152 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.151 |
|
22-Dec-2020 |
djm |
move subprocess() from auth.c to misc.c
make privilege dropping optional but allow it via callbacks (to avoid need to link uidswap.c everywhere)
add some other flags (keep environment, disable strict path safety check) that make this more useful for client-side use.
feedback & ok markus@
|
#
1.150 |
|
20-Dec-2020 |
djm |
load_hostkeys()/hostkeys_foreach() variants for FILE*
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line structs that is passed directly from the load_hostkeys() and hostkeys_foreach() call. This is a lightweight way to annotate results between different invocations of load_hostkeys().
ok markus@
|
#
1.149 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.148 |
|
16-Oct-2020 |
djm |
LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern- lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.147 |
|
27-Aug-2020 |
djm |
branches: 1.147.4; support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.146 |
|
31-Jan-2020 |
djm |
Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
|
#
1.145 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.144 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.158 |
|
03-Jun-2022 |
djm |
move auth_openprincipals() and auth_openkeyfile() over to auth2-pubkeyfile.c too; they make more sense there.
|
#
1.157 |
|
27-May-2022 |
djm |
split the low-level file handling functions out from auth2-pubkey.c
Put them in a new auth2-pubkeyfile.c to make it easier to refer to them (e.g. in unit/fuzz tests) without having to refer to everything else pubkey auth brings in.
ok dtucker@
|
#
1.156 |
|
27-May-2022 |
djm |
refactor authorized_keys/principals handling
remove "struct ssh *" from arguments - this was only used to pass the remote host/address. These can be passed in instead and the resulting code is less tightly coupled to ssh_api.[ch]
ok dtucker@
|
#
1.155 |
|
26-Apr-2022 |
dtucker |
Check sshauthopt_new() for NULL. bz#3425, from tessgauthier at microsoft.com. ok djm@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.154 |
|
23-Feb-2022 |
djm |
randomise the password used in fakepw
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.153 |
|
05-Jul-2021 |
dtucker |
Remove comment referencing now-removed RhostsRSAAuthentication. ok djm@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.152 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.151 |
|
22-Dec-2020 |
djm |
move subprocess() from auth.c to misc.c
make privilege dropping optional but allow it via callbacks (to avoid need to link uidswap.c everywhere)
add some other flags (keep environment, disable strict path safety check) that make this more useful for client-side use.
feedback & ok markus@
|
#
1.150 |
|
20-Dec-2020 |
djm |
load_hostkeys()/hostkeys_foreach() variants for FILE*
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line structs that is passed directly from the load_hostkeys() and hostkeys_foreach() call. This is a lightweight way to annotate results between different invocations of load_hostkeys().
ok markus@
|
#
1.149 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.148 |
|
16-Oct-2020 |
djm |
LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern- lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.147 |
|
27-Aug-2020 |
djm |
branches: 1.147.4; support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.146 |
|
31-Jan-2020 |
djm |
Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
|
#
1.145 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.144 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.157 |
|
27-May-2022 |
djm |
split the low-level file handling functions out from auth2-pubkey.c
Put them in a new auth2-pubkeyfile.c to make it easier to refer to them (e.g. in unit/fuzz tests) without having to refer to everything else pubkey auth brings in.
ok dtucker@
|
#
1.156 |
|
27-May-2022 |
djm |
refactor authorized_keys/principals handling
remove "struct ssh *" from arguments - this was only used to pass the remote host/address. These can be passed in instead and the resulting code is less tightly coupled to ssh_api.[ch]
ok dtucker@
|
#
1.155 |
|
26-Apr-2022 |
dtucker |
Check sshauthopt_new() for NULL. bz#3425, from tessgauthier at microsoft.com. ok djm@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.154 |
|
23-Feb-2022 |
djm |
randomise the password used in fakepw
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.153 |
|
05-Jul-2021 |
dtucker |
Remove comment referencing now-removed RhostsRSAAuthentication. ok djm@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.152 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.151 |
|
22-Dec-2020 |
djm |
move subprocess() from auth.c to misc.c
make privilege dropping optional but allow it via callbacks (to avoid need to link uidswap.c everywhere)
add some other flags (keep environment, disable strict path safety check) that make this more useful for client-side use.
feedback & ok markus@
|
#
1.150 |
|
20-Dec-2020 |
djm |
load_hostkeys()/hostkeys_foreach() variants for FILE*
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line structs that is passed directly from the load_hostkeys() and hostkeys_foreach() call. This is a lightweight way to annotate results between different invocations of load_hostkeys().
ok markus@
|
#
1.149 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.148 |
|
16-Oct-2020 |
djm |
LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern- lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.147 |
|
27-Aug-2020 |
djm |
branches: 1.147.4; support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.146 |
|
31-Jan-2020 |
djm |
Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
|
#
1.145 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.144 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.155 |
|
26-Apr-2022 |
dtucker |
Check sshauthopt_new() for NULL. bz#3425, from tessgauthier at microsoft.com. ok djm@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.154 |
|
23-Feb-2022 |
djm |
randomise the password used in fakepw
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.153 |
|
05-Jul-2021 |
dtucker |
Remove comment referencing now-removed RhostsRSAAuthentication. ok djm@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.152 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.151 |
|
22-Dec-2020 |
djm |
move subprocess() from auth.c to misc.c
make privilege dropping optional but allow it via callbacks (to avoid need to link uidswap.c everywhere)
add some other flags (keep environment, disable strict path safety check) that make this more useful for client-side use.
feedback & ok markus@
|
#
1.150 |
|
20-Dec-2020 |
djm |
load_hostkeys()/hostkeys_foreach() variants for FILE*
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line structs that is passed directly from the load_hostkeys() and hostkeys_foreach() call. This is a lightweight way to annotate results between different invocations of load_hostkeys().
ok markus@
|
#
1.149 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.148 |
|
16-Oct-2020 |
djm |
LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern- lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.147 |
|
27-Aug-2020 |
djm |
branches: 1.147.4; support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.146 |
|
31-Jan-2020 |
djm |
Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
|
#
1.145 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.144 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.154 |
|
23-Feb-2022 |
djm |
randomise the password used in fakepw
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.153 |
|
05-Jul-2021 |
dtucker |
Remove comment referencing now-removed RhostsRSAAuthentication. ok djm@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.152 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.151 |
|
22-Dec-2020 |
djm |
move subprocess() from auth.c to misc.c
make privilege dropping optional but allow it via callbacks (to avoid need to link uidswap.c everywhere)
add some other flags (keep environment, disable strict path safety check) that make this more useful for client-side use.
feedback & ok markus@
|
#
1.150 |
|
20-Dec-2020 |
djm |
load_hostkeys()/hostkeys_foreach() variants for FILE*
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line structs that is passed directly from the load_hostkeys() and hostkeys_foreach() call. This is a lightweight way to annotate results between different invocations of load_hostkeys().
ok markus@
|
#
1.149 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.148 |
|
16-Oct-2020 |
djm |
LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern- lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.147 |
|
27-Aug-2020 |
djm |
branches: 1.147.4; support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.146 |
|
31-Jan-2020 |
djm |
Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
|
#
1.145 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.144 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.153 |
|
05-Jul-2021 |
dtucker |
Remove comment referencing now-removed RhostsRSAAuthentication. ok djm@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.152 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.151 |
|
22-Dec-2020 |
djm |
move subprocess() from auth.c to misc.c
make privilege dropping optional but allow it via callbacks (to avoid need to link uidswap.c everywhere)
add some other flags (keep environment, disable strict path safety check) that make this more useful for client-side use.
feedback & ok markus@
|
#
1.150 |
|
20-Dec-2020 |
djm |
load_hostkeys()/hostkeys_foreach() variants for FILE*
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line structs that is passed directly from the load_hostkeys() and hostkeys_foreach() call. This is a lightweight way to annotate results between different invocations of load_hostkeys().
ok markus@
|
#
1.149 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.148 |
|
16-Oct-2020 |
djm |
LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern- lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.147 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.146 |
|
31-Jan-2020 |
djm |
Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
|
#
1.145 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.144 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.152 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.151 |
|
22-Dec-2020 |
djm |
move subprocess() from auth.c to misc.c
make privilege dropping optional but allow it via callbacks (to avoid need to link uidswap.c everywhere)
add some other flags (keep environment, disable strict path safety check) that make this more useful for client-side use.
feedback & ok markus@
|
#
1.150 |
|
20-Dec-2020 |
djm |
load_hostkeys()/hostkeys_foreach() variants for FILE*
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line structs that is passed directly from the load_hostkeys() and hostkeys_foreach() call. This is a lightweight way to annotate results between different invocations of load_hostkeys().
ok markus@
|
#
1.149 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.148 |
|
16-Oct-2020 |
djm |
LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern- lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.147 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.146 |
|
31-Jan-2020 |
djm |
Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
|
#
1.145 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.144 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.151 |
|
22-Dec-2020 |
djm |
move subprocess() from auth.c to misc.c
make privilege dropping optional but allow it via callbacks (to avoid need to link uidswap.c everywhere)
add some other flags (keep environment, disable strict path safety check) that make this more useful for client-side use.
feedback & ok markus@
|
#
1.150 |
|
20-Dec-2020 |
djm |
load_hostkeys()/hostkeys_foreach() variants for FILE*
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line structs that is passed directly from the load_hostkeys() and hostkeys_foreach() call. This is a lightweight way to annotate results between different invocations of load_hostkeys().
ok markus@
|
#
1.149 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.148 |
|
16-Oct-2020 |
djm |
LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern- lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.147 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.146 |
|
31-Jan-2020 |
djm |
Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
|
#
1.145 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.144 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.150 |
|
20-Dec-2020 |
djm |
load_hostkeys()/hostkeys_foreach() variants for FILE*
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line structs that is passed directly from the load_hostkeys() and hostkeys_foreach() call. This is a lightweight way to annotate results between different invocations of load_hostkeys().
ok markus@
|
#
1.149 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.148 |
|
16-Oct-2020 |
djm |
LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern- lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.147 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.146 |
|
31-Jan-2020 |
djm |
Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
|
#
1.145 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.144 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.149 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.148 |
|
16-Oct-2020 |
djm |
LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern- lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.147 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.146 |
|
31-Jan-2020 |
djm |
Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
|
#
1.145 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.144 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.147 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.146 |
|
31-Jan-2020 |
djm |
Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
|
#
1.145 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.144 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.146 |
|
31-Jan-2020 |
djm |
Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
|
#
1.145 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.144 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.145 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.144 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.144 |
|
16-Dec-2019 |
tobhe |
strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures.
ok markus@
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.143 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.142 |
|
16-Oct-2019 |
djm |
potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.141 |
|
02-Oct-2019 |
djm |
remove some duplicate #includes
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.140 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.139 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.138 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.137 |
|
19-Jan-2019 |
djm |
convert servconf.c to new packet API
with & ok markus@
|
#
1.136 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.135 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.134 |
|
16-Nov-2018 |
djm |
use path_absolute() for pathname checks; from Manoj Ampalam
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.133 |
|
12-Sep-2018 |
djm |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.132 |
|
11-Jul-2018 |
martijn |
s/wuth/with/ in comment
|
#
1.131 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.130 |
|
06-Jun-2018 |
djm |
permitlisten option for authorized_keys; ok markus@
|
#
1.129 |
|
01-Jun-2018 |
djm |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
|
#
1.128 |
|
25-May-2018 |
djm |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.127 |
|
12-Mar-2018 |
djm |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.126 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|
#
1.125 |
|
08-Jan-2018 |
markus |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.124 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.123 |
|
18-Aug-2017 |
djm |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
1.122 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.121 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
#
1.120 |
|
17-May-2017 |
djm |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.119 |
|
15-Dec-2016 |
dtucker |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
1.118 |
|
08-Nov-2016 |
djm |
unbreak DenyUsers; reported by henning@
|
#
1.117 |
|
06-Nov-2016 |
djm |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
|
#
1.116 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.115 |
|
15-Jun-2016 |
dtucker |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
|
#
1.114 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.113 |
|
21-Aug-2015 |
djm |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.112 |
|
06-Aug-2015 |
deraadt |
branches: 1.112.4; add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
|
#
1.111 |
|
01-May-2015 |
djm |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.110 |
|
25-Feb-2015 |
djm |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
1.109 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.108 |
|
21-Dec-2014 |
djm |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
1.107 |
|
04-Dec-2014 |
djm |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.106 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.105 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
1.104 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.103 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.102 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.101 |
|
06-Feb-2013 |
dtucker |
Fix comment, from jfree.e1 at gmail
|
#
1.100 |
|
17-Jan-2013 |
djm |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
#
1.99 |
|
14-Dec-2012 |
dtucker |
use correct string in error message; from rustybsd at gmx.fr
|
#
1.98 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.97 |
|
30-Oct-2012 |
djm |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.96 |
|
13-May-2012 |
dtucker |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
1.95 |
|
11-Apr-2012 |
djm |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.94 |
|
23-May-2011 |
djm |
make secure_filename() spam debug logs less
|
#
1.93 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.92 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.91 |
|
29-Nov-2010 |
djm |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
|
#
1.90 |
|
23-Nov-2010 |
djm |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.89 |
|
04-Aug-2010 |
djm |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
1.88 |
|
22-Jun-2010 |
djm |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
|
#
1.87 |
|
07-May-2010 |
djm |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.86 |
|
05-Mar-2010 |
djm |
make the warning for a revoked key louder and more noticable
|
#
1.85 |
|
04-Mar-2010 |
djm |
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication.
feedback and ok markus@
|
#
1.84 |
|
09-Feb-2010 |
djm |
unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
|
#
1.83 |
|
13-Jan-2010 |
djm |
when using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
|
#
1.82 |
|
13-Jan-2010 |
dtucker |
Fix a couple of typos/mispellings in comments
|
#
1.81 |
|
10-Jan-2010 |
dtucker |
Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.80 |
|
04-Nov-2008 |
djm |
need unistd.h for close() prototype
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.79 |
|
02-Jul-2008 |
dtucker |
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.78 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.77 |
|
23-Aug-2007 |
djm |
missed include bits from last commit
|
#
1.76 |
|
23-Aug-2007 |
djm |
unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.75 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.74 |
|
01-Aug-2006 |
stevesk |
move #include <stdio.h> out of includes.h
|
#
1.73 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.72 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.71 |
|
12-Jul-2006 |
dtucker |
Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg
AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
#
1.70 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.69 |
|
10-Jul-2006 |
stevesk |
move #include <stdarg.h> out of includes.h; ok markus@
|
#
1.68 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.67 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.66 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.65 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.64 |
|
20-Mar-2006 |
deraadt |
in a switch (), break after return or goto is stupid
|
#
1.63 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.62 |
|
20-Feb-2006 |
stevesk |
branches: 1.62.2; move #include <sys/stat.h> out of includes.h; ok markus@
|
#
1.61 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.60 |
|
17-Jun-2005 |
djm |
branches: 1.60.2; make this -Wsign-compare clean; ok avsm@ markus@
|
#
1.59 |
|
06-Jun-2005 |
djm |
introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.58 |
|
14-Mar-2005 |
dtucker |
branches: 1.58.2; Populate host for log message for logins denied by AllowUsers and DenyUsers. (bz #999); ok markus@
|
#
1.57 |
|
22-Jan-2005 |
dtucker |
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups. bz #909, ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.56 |
|
28-Jul-2004 |
markus |
branches: 1.56.2; more s/illegal/invalid/
|
#
1.55 |
|
21-Jul-2004 |
markus |
s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...
|
#
1.54 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
#
1.53 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.52 |
|
08-May-2004 |
deraadt |
make two tiny header files go away; djm ok
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.51 |
|
21-Nov-2003 |
djm |
branches: 1.51.2; unexpand and delete whitespace at EOL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
26-Aug-2003 |
markus |
branches: 1.49.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.48 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.47 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.46 |
|
04-Nov-2002 |
markus |
branches: 1.46.2; don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.45 |
|
20-Sep-2002 |
stevesk |
branches: 1.45.2; log illegal user here for missing privsep case (ssh2). this is executed in the monitor. ok markus@
|
#
1.44 |
|
08-Aug-2002 |
stevesk |
typo in comment
|
#
1.43 |
|
17-May-2002 |
millert |
Fix typo/thinko. Pass in as to auth_approval(), not NULL. Closes PR 2659.
|
#
1.42 |
|
13-May-2002 |
markus |
move the packet_send_debug handling from auth-options.c to auth.c; ok provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.41 |
|
19-Mar-2002 |
markus |
branches: 1.41.2; check for NULL; from provos@
|
#
1.40 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.39 |
|
19-Mar-2002 |
markus |
KNF whitespace
|
#
1.38 |
|
18-Mar-2002 |
provos |
move auth_approval into getpwnamallow with help from millert@
|
#
1.37 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.36 |
|
15-Mar-2002 |
itojun |
fix file type checking (use S_ISREG). ok by markus
|
#
1.35 |
|
01-Mar-2002 |
markus |
undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
|
#
1.34 |
|
28-Feb-2002 |
stevesk |
log user not allowed details, from dwd@bell-labs.com; ok markus@
|
#
1.33 |
|
28-Feb-2002 |
stevesk |
delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
|
#
1.32 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.31 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.30 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.29 |
|
08-Nov-2001 |
markus |
don't print ROOT in CAPS for the authentication messages, i.e. Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 becomes Accepted publickey for root from 127.0.0.1 port 42734 ssh2
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.28 |
|
03-Oct-2001 |
markus |
branches: 1.28.2; use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp
|
#
1.27 |
|
11-Jul-2001 |
markus |
no need to call dirname(pw->pw_dir). note that dirname(3) modifies its argument on some systems.
|
#
1.26 |
|
27-Jun-2001 |
markus |
tridge@samba.org
|
#
1.25 |
|
25-Jun-2001 |
provos |
terminate secure_filename checking after checking homedir. that way it works on AFS. okay markus@
|
#
1.24 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.23 |
|
24-May-2001 |
markus |
fix comment; from jakob@
|
#
1.22 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.21 |
|
19-Mar-2001 |
markus |
branches: 1.21.2; undo /etc/shell and proto 2,1 change for openssh-2.5.2
|
#
1.20 |
|
17-Mar-2001 |
markus |
check /etc/shells, too
|
#
1.19 |
|
02-Mar-2001 |
deraadt |
make copyright lines the same format
|
#
1.18 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.17 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.16 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.15 |
|
03-Feb-2001 |
markus |
make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
|
#
1.14 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.13 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.12 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.11 |
|
11-Oct-2000 |
markus |
branches: 1.11.2; new cipher framework
|
#
1.10 |
|
07-Sep-2000 |
markus |
some more Copyright fixes
|
#
1.9 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.8 |
|
04-Aug-2000 |
markus |
unused
|
#
1.7 |
|
17-May-2000 |
deraadt |
accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.6 |
|
26-Apr-2000 |
markus |
branches: 1.6.2; split auth/sshconnect in one file per protocol version
|
#
1.5 |
|
26-Apr-2000 |
markus |
add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol.
|
#
1.4 |
|
14-Apr-2000 |
markus |
whitespace cleanup
|
#
1.3 |
|
14-Apr-2000 |
markus |
check payload for (illegal) extra data
|
#
1.2 |
|
06-Apr-2000 |
markus |
ssh2 server side, see README.openssh2; enable with 'sshd -2'
|
#
1.1 |
|
28-Mar-2000 |
markus |
split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal
|