#
1.169 |
|
17-May-2024 |
djm |
Start the process of splitting sshd into separate binaries. This step splits sshd into a listener and a session binary. More splits are planned.
After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs.
This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary.
feedback/ok markus@ deraadt@
NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out.
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.168 |
|
18-Dec-2023 |
djm |
add "ext-info-in-auth@openssh.com" extension
This adds another transport protocol extension to allow a sshd to send SSH2_MSG_EXT_INFO during user authentication, after the server has learned the username that is being logged in to.
This lets sshd to update the acceptable signature algoritms for public key authentication, and allows these to be varied via sshd_config(5) "Match" directives, which are evaluated after the server learns the username being authenticated.
Full details in the PROTOCOL file
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.167 |
|
28-Aug-2023 |
djm |
limit artificial login delay to a reasonable maximum (5s) and don't delay at all for the "none" authentication mechanism. Patch by Dmitry Belyavskiy in bz3602 with polish/ok dtucker@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.166 |
|
08-Mar-2023 |
guenther |
Delete obsolete /* ARGSUSED */ lint comments.
ok miod@ millert@
|
#
1.165 |
|
05-Mar-2023 |
dtucker |
Remove unused compat.h includes. We've previously removed a lot of the really old compatibility code, and with it went the need to include compat.h in most of the files that have it.
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.164 |
|
23-Feb-2022 |
djm |
avoid integer overflow of auth attempts (harmless, caught by monitor)
|
#
1.163 |
|
26-Dec-2021 |
djm |
split method list search functionality from authmethod_lookup() into a separate authmethod_byname(), for cases where we don't need to check whether a method is enabled, etc.
use this to fix the "none" authentication method regression reported by Nam Nguyen via bugs@
ok deraadt@
|
#
1.162 |
|
19-Dec-2021 |
djm |
prepare for multiple names for authmethods
allow authentication methods to have one additional name beyond their primary name.
allow lookup by this synonym
Use primary name for authentication decisions, e.g. for PermitRootLogin=publickey
Pass actual invoked name to the authmethods, so they can tell whether they were requested via the their primary name or synonym.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.161 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.160 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.159 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.158 |
|
06-Mar-2020 |
markus |
exit on parse failures in input_service_request; ok djm
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.157 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.156 |
|
28-Jun-2019 |
deraadt |
asprintf returns -1, not an arbitrary value < 0. Also upon error the (very sloppy specification) leaves an undefined value in *ret, so it is wrong to inspect it, the error condition is enough. discussed a little with nicm, and then much more with millert until we were exasperated
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.155 |
|
25-Mar-2019 |
djm |
Fix authentication failures when "AuthenticationMethods any" in a Match block overrides a more restrictive global default.
Spotted by jmc@, ok markus@
|
#
1.154 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.153 |
|
19-Jan-2019 |
djm |
convert auth2.c to new packet API
|
#
1.152 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.168 |
|
18-Dec-2023 |
djm |
add "ext-info-in-auth@openssh.com" extension
This adds another transport protocol extension to allow a sshd to send SSH2_MSG_EXT_INFO during user authentication, after the server has learned the username that is being logged in to.
This lets sshd to update the acceptable signature algoritms for public key authentication, and allows these to be varied via sshd_config(5) "Match" directives, which are evaluated after the server learns the username being authenticated.
Full details in the PROTOCOL file
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.167 |
|
28-Aug-2023 |
djm |
limit artificial login delay to a reasonable maximum (5s) and don't delay at all for the "none" authentication mechanism. Patch by Dmitry Belyavskiy in bz3602 with polish/ok dtucker@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.166 |
|
08-Mar-2023 |
guenther |
Delete obsolete /* ARGSUSED */ lint comments.
ok miod@ millert@
|
#
1.165 |
|
05-Mar-2023 |
dtucker |
Remove unused compat.h includes. We've previously removed a lot of the really old compatibility code, and with it went the need to include compat.h in most of the files that have it.
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.164 |
|
23-Feb-2022 |
djm |
avoid integer overflow of auth attempts (harmless, caught by monitor)
|
#
1.163 |
|
26-Dec-2021 |
djm |
split method list search functionality from authmethod_lookup() into a separate authmethod_byname(), for cases where we don't need to check whether a method is enabled, etc.
use this to fix the "none" authentication method regression reported by Nam Nguyen via bugs@
ok deraadt@
|
#
1.162 |
|
19-Dec-2021 |
djm |
prepare for multiple names for authmethods
allow authentication methods to have one additional name beyond their primary name.
allow lookup by this synonym
Use primary name for authentication decisions, e.g. for PermitRootLogin=publickey
Pass actual invoked name to the authmethods, so they can tell whether they were requested via the their primary name or synonym.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.161 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.160 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.159 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.158 |
|
06-Mar-2020 |
markus |
exit on parse failures in input_service_request; ok djm
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.157 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.156 |
|
28-Jun-2019 |
deraadt |
asprintf returns -1, not an arbitrary value < 0. Also upon error the (very sloppy specification) leaves an undefined value in *ret, so it is wrong to inspect it, the error condition is enough. discussed a little with nicm, and then much more with millert until we were exasperated
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.155 |
|
25-Mar-2019 |
djm |
Fix authentication failures when "AuthenticationMethods any" in a Match block overrides a more restrictive global default.
Spotted by jmc@, ok markus@
|
#
1.154 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.153 |
|
19-Jan-2019 |
djm |
convert auth2.c to new packet API
|
#
1.152 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.167 |
|
28-Aug-2023 |
djm |
limit artificial login delay to a reasonable maximum (5s) and don't delay at all for the "none" authentication mechanism. Patch by Dmitry Belyavskiy in bz3602 with polish/ok dtucker@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.166 |
|
08-Mar-2023 |
guenther |
Delete obsolete /* ARGSUSED */ lint comments.
ok miod@ millert@
|
#
1.165 |
|
05-Mar-2023 |
dtucker |
Remove unused compat.h includes. We've previously removed a lot of the really old compatibility code, and with it went the need to include compat.h in most of the files that have it.
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.164 |
|
23-Feb-2022 |
djm |
avoid integer overflow of auth attempts (harmless, caught by monitor)
|
#
1.163 |
|
26-Dec-2021 |
djm |
split method list search functionality from authmethod_lookup() into a separate authmethod_byname(), for cases where we don't need to check whether a method is enabled, etc.
use this to fix the "none" authentication method regression reported by Nam Nguyen via bugs@
ok deraadt@
|
#
1.162 |
|
19-Dec-2021 |
djm |
prepare for multiple names for authmethods
allow authentication methods to have one additional name beyond their primary name.
allow lookup by this synonym
Use primary name for authentication decisions, e.g. for PermitRootLogin=publickey
Pass actual invoked name to the authmethods, so they can tell whether they were requested via the their primary name or synonym.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.161 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.160 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.159 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.158 |
|
06-Mar-2020 |
markus |
exit on parse failures in input_service_request; ok djm
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.157 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.156 |
|
28-Jun-2019 |
deraadt |
asprintf returns -1, not an arbitrary value < 0. Also upon error the (very sloppy specification) leaves an undefined value in *ret, so it is wrong to inspect it, the error condition is enough. discussed a little with nicm, and then much more with millert until we were exasperated
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.155 |
|
25-Mar-2019 |
djm |
Fix authentication failures when "AuthenticationMethods any" in a Match block overrides a more restrictive global default.
Spotted by jmc@, ok markus@
|
#
1.154 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.153 |
|
19-Jan-2019 |
djm |
convert auth2.c to new packet API
|
#
1.152 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.166 |
|
08-Mar-2023 |
guenther |
Delete obsolete /* ARGSUSED */ lint comments.
ok miod@ millert@
|
#
1.165 |
|
05-Mar-2023 |
dtucker |
Remove unused compat.h includes. We've previously removed a lot of the really old compatibility code, and with it went the need to include compat.h in most of the files that have it.
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.164 |
|
23-Feb-2022 |
djm |
avoid integer overflow of auth attempts (harmless, caught by monitor)
|
#
1.163 |
|
26-Dec-2021 |
djm |
split method list search functionality from authmethod_lookup() into a separate authmethod_byname(), for cases where we don't need to check whether a method is enabled, etc.
use this to fix the "none" authentication method regression reported by Nam Nguyen via bugs@
ok deraadt@
|
#
1.162 |
|
19-Dec-2021 |
djm |
prepare for multiple names for authmethods
allow authentication methods to have one additional name beyond their primary name.
allow lookup by this synonym
Use primary name for authentication decisions, e.g. for PermitRootLogin=publickey
Pass actual invoked name to the authmethods, so they can tell whether they were requested via the their primary name or synonym.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.161 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.160 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.159 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.158 |
|
06-Mar-2020 |
markus |
exit on parse failures in input_service_request; ok djm
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.157 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.156 |
|
28-Jun-2019 |
deraadt |
asprintf returns -1, not an arbitrary value < 0. Also upon error the (very sloppy specification) leaves an undefined value in *ret, so it is wrong to inspect it, the error condition is enough. discussed a little with nicm, and then much more with millert until we were exasperated
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.155 |
|
25-Mar-2019 |
djm |
Fix authentication failures when "AuthenticationMethods any" in a Match block overrides a more restrictive global default.
Spotted by jmc@, ok markus@
|
#
1.154 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.153 |
|
19-Jan-2019 |
djm |
convert auth2.c to new packet API
|
#
1.152 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.165 |
|
05-Mar-2023 |
dtucker |
Remove unused compat.h includes. We've previously removed a lot of the really old compatibility code, and with it went the need to include compat.h in most of the files that have it.
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.164 |
|
23-Feb-2022 |
djm |
avoid integer overflow of auth attempts (harmless, caught by monitor)
|
#
1.163 |
|
26-Dec-2021 |
djm |
split method list search functionality from authmethod_lookup() into a separate authmethod_byname(), for cases where we don't need to check whether a method is enabled, etc.
use this to fix the "none" authentication method regression reported by Nam Nguyen via bugs@
ok deraadt@
|
#
1.162 |
|
19-Dec-2021 |
djm |
prepare for multiple names for authmethods
allow authentication methods to have one additional name beyond their primary name.
allow lookup by this synonym
Use primary name for authentication decisions, e.g. for PermitRootLogin=publickey
Pass actual invoked name to the authmethods, so they can tell whether they were requested via the their primary name or synonym.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.161 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.160 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.159 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.158 |
|
06-Mar-2020 |
markus |
exit on parse failures in input_service_request; ok djm
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.157 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.156 |
|
28-Jun-2019 |
deraadt |
asprintf returns -1, not an arbitrary value < 0. Also upon error the (very sloppy specification) leaves an undefined value in *ret, so it is wrong to inspect it, the error condition is enough. discussed a little with nicm, and then much more with millert until we were exasperated
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.155 |
|
25-Mar-2019 |
djm |
Fix authentication failures when "AuthenticationMethods any" in a Match block overrides a more restrictive global default.
Spotted by jmc@, ok markus@
|
#
1.154 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.153 |
|
19-Jan-2019 |
djm |
convert auth2.c to new packet API
|
#
1.152 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.164 |
|
23-Feb-2022 |
djm |
avoid integer overflow of auth attempts (harmless, caught by monitor)
|
#
1.163 |
|
26-Dec-2021 |
djm |
split method list search functionality from authmethod_lookup() into a separate authmethod_byname(), for cases where we don't need to check whether a method is enabled, etc.
use this to fix the "none" authentication method regression reported by Nam Nguyen via bugs@
ok deraadt@
|
#
1.162 |
|
19-Dec-2021 |
djm |
prepare for multiple names for authmethods
allow authentication methods to have one additional name beyond their primary name.
allow lookup by this synonym
Use primary name for authentication decisions, e.g. for PermitRootLogin=publickey
Pass actual invoked name to the authmethods, so they can tell whether they were requested via the their primary name or synonym.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.161 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.160 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.159 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.158 |
|
06-Mar-2020 |
markus |
exit on parse failures in input_service_request; ok djm
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.157 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.156 |
|
28-Jun-2019 |
deraadt |
asprintf returns -1, not an arbitrary value < 0. Also upon error the (very sloppy specification) leaves an undefined value in *ret, so it is wrong to inspect it, the error condition is enough. discussed a little with nicm, and then much more with millert until we were exasperated
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.155 |
|
25-Mar-2019 |
djm |
Fix authentication failures when "AuthenticationMethods any" in a Match block overrides a more restrictive global default.
Spotted by jmc@, ok markus@
|
#
1.154 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.153 |
|
19-Jan-2019 |
djm |
convert auth2.c to new packet API
|
#
1.152 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.163 |
|
26-Dec-2021 |
djm |
split method list search functionality from authmethod_lookup() into a separate authmethod_byname(), for cases where we don't need to check whether a method is enabled, etc.
use this to fix the "none" authentication method regression reported by Nam Nguyen via bugs@
ok deraadt@
|
#
1.162 |
|
19-Dec-2021 |
djm |
prepare for multiple names for authmethods
allow authentication methods to have one additional name beyond their primary name.
allow lookup by this synonym
Use primary name for authentication decisions, e.g. for PermitRootLogin=publickey
Pass actual invoked name to the authmethods, so they can tell whether they were requested via the their primary name or synonym.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.161 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.160 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.159 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.158 |
|
06-Mar-2020 |
markus |
exit on parse failures in input_service_request; ok djm
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.157 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.156 |
|
28-Jun-2019 |
deraadt |
asprintf returns -1, not an arbitrary value < 0. Also upon error the (very sloppy specification) leaves an undefined value in *ret, so it is wrong to inspect it, the error condition is enough. discussed a little with nicm, and then much more with millert until we were exasperated
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.155 |
|
25-Mar-2019 |
djm |
Fix authentication failures when "AuthenticationMethods any" in a Match block overrides a more restrictive global default.
Spotted by jmc@, ok markus@
|
#
1.154 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.153 |
|
19-Jan-2019 |
djm |
convert auth2.c to new packet API
|
#
1.152 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.162 |
|
19-Dec-2021 |
djm |
prepare for multiple names for authmethods
allow authentication methods to have one additional name beyond their primary name.
allow lookup by this synonym
Use primary name for authentication decisions, e.g. for PermitRootLogin=publickey
Pass actual invoked name to the authmethods, so they can tell whether they were requested via the their primary name or synonym.
ok markus@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.161 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.160 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.159 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.158 |
|
06-Mar-2020 |
markus |
exit on parse failures in input_service_request; ok djm
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.157 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.156 |
|
28-Jun-2019 |
deraadt |
asprintf returns -1, not an arbitrary value < 0. Also upon error the (very sloppy specification) leaves an undefined value in *ret, so it is wrong to inspect it, the error condition is enough. discussed a little with nicm, and then much more with millert until we were exasperated
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.155 |
|
25-Mar-2019 |
djm |
Fix authentication failures when "AuthenticationMethods any" in a Match block overrides a more restrictive global default.
Spotted by jmc@, ok markus@
|
#
1.154 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.153 |
|
19-Jan-2019 |
djm |
convert auth2.c to new packet API
|
#
1.152 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.161 |
|
03-Apr-2021 |
djm |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
1.160 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.159 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.158 |
|
06-Mar-2020 |
markus |
exit on parse failures in input_service_request; ok djm
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.157 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.156 |
|
28-Jun-2019 |
deraadt |
asprintf returns -1, not an arbitrary value < 0. Also upon error the (very sloppy specification) leaves an undefined value in *ret, so it is wrong to inspect it, the error condition is enough. discussed a little with nicm, and then much more with millert until we were exasperated
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.155 |
|
25-Mar-2019 |
djm |
Fix authentication failures when "AuthenticationMethods any" in a Match block overrides a more restrictive global default.
Spotted by jmc@, ok markus@
|
#
1.154 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.153 |
|
19-Jan-2019 |
djm |
convert auth2.c to new packet API
|
#
1.152 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.160 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.159 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.158 |
|
06-Mar-2020 |
markus |
exit on parse failures in input_service_request; ok djm
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.157 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.156 |
|
28-Jun-2019 |
deraadt |
asprintf returns -1, not an arbitrary value < 0. Also upon error the (very sloppy specification) leaves an undefined value in *ret, so it is wrong to inspect it, the error condition is enough. discussed a little with nicm, and then much more with millert until we were exasperated
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.155 |
|
25-Mar-2019 |
djm |
Fix authentication failures when "AuthenticationMethods any" in a Match block overrides a more restrictive global default.
Spotted by jmc@, ok markus@
|
#
1.154 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.153 |
|
19-Jan-2019 |
djm |
convert auth2.c to new packet API
|
#
1.152 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.159 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.158 |
|
06-Mar-2020 |
markus |
exit on parse failures in input_service_request; ok djm
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.157 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.156 |
|
28-Jun-2019 |
deraadt |
asprintf returns -1, not an arbitrary value < 0. Also upon error the (very sloppy specification) leaves an undefined value in *ret, so it is wrong to inspect it, the error condition is enough. discussed a little with nicm, and then much more with millert until we were exasperated
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.155 |
|
25-Mar-2019 |
djm |
Fix authentication failures when "AuthenticationMethods any" in a Match block overrides a more restrictive global default.
Spotted by jmc@, ok markus@
|
#
1.154 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.153 |
|
19-Jan-2019 |
djm |
convert auth2.c to new packet API
|
#
1.152 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.158 |
|
06-Mar-2020 |
markus |
exit on parse failures in input_service_request; ok djm
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.157 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.156 |
|
28-Jun-2019 |
deraadt |
asprintf returns -1, not an arbitrary value < 0. Also upon error the (very sloppy specification) leaves an undefined value in *ret, so it is wrong to inspect it, the error condition is enough. discussed a little with nicm, and then much more with millert until we were exasperated
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.155 |
|
25-Mar-2019 |
djm |
Fix authentication failures when "AuthenticationMethods any" in a Match block overrides a more restrictive global default.
Spotted by jmc@, ok markus@
|
#
1.154 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.153 |
|
19-Jan-2019 |
djm |
convert auth2.c to new packet API
|
#
1.152 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.157 |
|
06-Sep-2019 |
djm |
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
|
#
1.156 |
|
28-Jun-2019 |
deraadt |
asprintf returns -1, not an arbitrary value < 0. Also upon error the (very sloppy specification) leaves an undefined value in *ret, so it is wrong to inspect it, the error condition is enough. discussed a little with nicm, and then much more with millert until we were exasperated
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.155 |
|
25-Mar-2019 |
djm |
Fix authentication failures when "AuthenticationMethods any" in a Match block overrides a more restrictive global default.
Spotted by jmc@, ok markus@
|
#
1.154 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.153 |
|
19-Jan-2019 |
djm |
convert auth2.c to new packet API
|
#
1.152 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.156 |
|
28-Jun-2019 |
deraadt |
asprintf returns -1, not an arbitrary value < 0. Also upon error the (very sloppy specification) leaves an undefined value in *ret, so it is wrong to inspect it, the error condition is enough. discussed a little with nicm, and then much more with millert until we were exasperated
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.155 |
|
25-Mar-2019 |
djm |
Fix authentication failures when "AuthenticationMethods any" in a Match block overrides a more restrictive global default.
Spotted by jmc@, ok markus@
|
#
1.154 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.153 |
|
19-Jan-2019 |
djm |
convert auth2.c to new packet API
|
#
1.152 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.155 |
|
25-Mar-2019 |
djm |
Fix authentication failures when "AuthenticationMethods any" in a Match block overrides a more restrictive global default.
Spotted by jmc@, ok markus@
|
#
1.154 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.153 |
|
19-Jan-2019 |
djm |
convert auth2.c to new packet API
|
#
1.152 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.154 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.153 |
|
19-Jan-2019 |
djm |
convert auth2.c to new packet API
|
#
1.152 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.151 |
|
17-Jan-2019 |
djm |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.150 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.149 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.148 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.147 |
|
11-May-2018 |
dtucker |
Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms where int64 is long not long long. ok djm@
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.146 |
|
13-Apr-2018 |
dtucker |
Defend against user enumeration timing attacks. This establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@.
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.145 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
#
1.144 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.143 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.142 |
|
31-May-2017 |
markus |
remove now obsolete ctx from ssh_dispatch_run; ok djm@
|
#
1.141 |
|
31-May-2017 |
markus |
use the ssh_dispatch_run_fatal variant
|
#
1.140 |
|
30-May-2017 |
markus |
switch auth2 to ssh_dispatch API; ok djm@
|
#
1.139 |
|
30-May-2017 |
markus |
protocol handlers all get struct ssh passed; ok djm@
|
#
1.138 |
|
30-May-2017 |
markus |
sshd: pass struct ssh to auth functions; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.137 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.136 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.135 |
|
19-Jan-2015 |
markus |
move dispatch to struct ssh; ok djm@
|
#
1.134 |
|
22-Dec-2014 |
djm |
make internal handling of filename arguments of "none" more consistent with ssh. "none" arguments are now replaced with NULL when the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than that + strcmp) and cleans up some inconsistencies. ok markus@
|
#
1.133 |
|
18-Dec-2014 |
djm |
don't count partial authentication success as a failure against MaxAuthTries; ok deraadt@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.132 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.131 |
|
03-Jul-2014 |
djm |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.130 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.129 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.128 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.127 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.126 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.125 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.124 |
|
07-Dec-2011 |
djm |
fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.123 |
|
10-Mar-2011 |
djm |
allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.122 |
|
31-Aug-2010 |
djm |
Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.121 |
|
22-Jun-2009 |
dtucker |
alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.120 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.119 |
|
04-Jul-2008 |
djm |
Make protocol 1 MaxAuthTries logic match protocol 2's.
Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none".
Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2.
ok dtucker@
|
#
1.118 |
|
02-Jul-2008 |
djm |
really really remove the freebie "none" auth try for protocol 2
|
#
1.117 |
|
02-Jul-2008 |
djm |
Make protocol 2 MaxAuthTries behaviour a little more sensible:
Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth).
Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try.
Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block).
Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.116 |
|
29-Sep-2007 |
dtucker |
Remove unused prototype. ok djm@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.115 |
|
14-Apr-2007 |
stevesk |
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.114 |
|
01-Mar-2007 |
dtucker |
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.113 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.112 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.111 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.110 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.109 |
|
20-Mar-2006 |
deraadt |
sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
|
#
1.108 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.107 |
|
28-Jul-2004 |
markus |
branches: 1.107.6; 1.107.8; more s/illegal/invalid/
|
#
1.106 |
|
21-Jul-2004 |
djm |
bz#899: Don't display invalid usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; ok markus@
|
#
1.105 |
|
23-May-2004 |
dtucker |
Add MaxAuthTries sshd config option; ok markus@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.104 |
|
04-Nov-2003 |
djm |
branches: 1.104.2; standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.103 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.102 |
|
26-Aug-2003 |
markus |
branches: 1.102.2; fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.101 |
|
22-Aug-2003 |
markus |
nuke "kerberos-2@ssh.com"
|
#
1.100 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.99 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.98 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.97 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.96 |
|
06-Feb-2003 |
markus |
branches: 1.96.2; undo broken fix for #387, fixes #486
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.95 |
|
22-Aug-2002 |
markus |
branches: 1.95.2; auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
|
#
1.94 |
|
30-Jun-2002 |
deraadt |
lint asks that we use names that do not overlap
|
#
1.93 |
|
31-May-2002 |
markus |
move Authmethod definitons to per-method file.
|
#
1.92 |
|
25-May-2002 |
markus |
split auth2.c into one file per method; ok provos@/deraadt@
|
#
1.91 |
|
13-May-2002 |
itojun |
less warnings. skey_{respond,query} are public (in auth.h)
|
#
1.90 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.89 |
|
19-Mar-2002 |
markus |
branches: 1.89.2; make getpwnamallow() allways call pwcopy()
|
#
1.88 |
|
18-Mar-2002 |
provos |
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
|
#
1.87 |
|
18-Mar-2002 |
provos |
have the authentication functions return the authentication context and then do_authenticated; okay millert@
|
#
1.86 |
|
17-Mar-2002 |
provos |
getpwnamallow returns struct passwd * only if user valid; okay markus@
|
#
1.85 |
|
24-Feb-2002 |
markus |
signed vs. unsigned: make size arguments u_int, ok stevesk@
|
#
1.84 |
|
04-Feb-2002 |
markus |
cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@
|
#
1.83 |
|
29-Jan-2002 |
markus |
s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
|
#
1.82 |
|
13-Jan-2002 |
markus |
use buffer API and avoid static strings of fixed size; ok provos@/mouring@
|
#
1.81 |
|
11-Jan-2002 |
markus |
a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED' dispatch_range(): set handler for a ranges message types use dispatch_protocol_ignore() for authentication requests after successful authentication (the drafts requirement). serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.
|
#
1.80 |
|
28-Dec-2001 |
markus |
remove plen from the dispatch fn. it's no longer used.
|
#
1.79 |
|
28-Dec-2001 |
markus |
s/packet_done/packet_check_eom/ (end-of-message); ok djm@
|
#
1.78 |
|
20-Dec-2001 |
djm |
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
|
#
1.77 |
|
19-Dec-2001 |
deraadt |
basic KNF done while i was looking for something else
|
#
1.76 |
|
18-Dec-2001 |
jakob |
log fingerprint on successful public key authentication; ok markus@
|
#
1.75 |
|
09-Dec-2001 |
markus |
add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions, fixes memleak.
|
#
1.74 |
|
05-Dec-2001 |
itojun |
make it compile with more strict prototype checking
|
#
1.73 |
|
17-Nov-2001 |
stevesk |
enum/int type cleanup where it made sense to do so; ok markus@
|
#
1.72 |
|
07-Nov-2001 |
markus |
unused includes
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.71 |
|
27-Sep-2001 |
markus |
branches: 1.71.2; typos; from solar
|
#
1.70 |
|
20-Sep-2001 |
markus |
key_read returns now -1 or 1
|
#
1.69 |
|
23-Jul-2001 |
stevesk |
use %lu; ok markus@
|
#
1.68 |
|
26-Jun-2001 |
markus |
new interface for secure_filename()
|
#
1.67 |
|
25-Jun-2001 |
stevesk |
prototype cleanup; ok markus@
|
#
1.66 |
|
23-Jun-2001 |
itojun |
more strict prototypes. raise warning level in Makefile.inc. markus ok'ed TODO; cleanup headers
|
#
1.65 |
|
23-Jun-2001 |
markus |
restore correct ignore_user_known_hosts logic.
|
#
1.64 |
|
23-Jun-2001 |
markus |
*known_hosts2 is obsolete for hostbased authentication and only used for backward compat. merge ssh1/2 hostkey check and move it to auth.c
|
#
1.63 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.62 |
|
07-Jun-2001 |
markus |
style is used for bsdauth. disconnect on user/service change (ietf-drafts)
|
#
1.61 |
|
31-May-2001 |
markus |
undo the .c file split, just merge the header and keep the cvs history
|
#
1.60 |
|
30-May-2001 |
markus |
merge
|
#
1.59 |
|
30-May-2001 |
markus |
channel layer cleanup: merge header files and split .c files
|
#
1.58 |
|
20-May-2001 |
markus |
configurable authorized_keys{,2} location; originally from peter@; ok djm@
|
#
1.57 |
|
18-May-2001 |
markus |
improved kbd-interactive support. work by per@appgate.com and me
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.56 |
|
19-Apr-2001 |
markus |
branches: 1.56.2; use local variable, no function call needed. (btw, hostbased works now with ssh.com >= 2.0.13)
|
#
1.55 |
|
18-Apr-2001 |
markus |
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now (however the 2.1.0 server seems to work only if debug is enabled...)
|
#
1.54 |
|
18-Apr-2001 |
markus |
no longer const
|
#
1.53 |
|
18-Apr-2001 |
markus |
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
#
1.52 |
|
12-Apr-2001 |
markus |
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.51 |
|
06-Apr-2001 |
markus |
do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
|
#
1.50 |
|
04-Apr-2001 |
markus |
we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@
|
#
1.49 |
|
28-Mar-2001 |
markus |
check auth_root_allowed for kbd-int auth, too.
|
#
1.48 |
|
21-Mar-2001 |
markus |
merge common ssh v1/2 code
|
#
1.47 |
|
20-Mar-2001 |
markus |
add changes need for BSD_AUTH plus disabled BSD_AUTH code
|
#
1.46 |
|
11-Mar-2001 |
markus |
debug
|
#
1.45 |
|
04-Mar-2001 |
djm |
Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid header conflicts in portable; ok markus@
|
#
1.44 |
|
01-Mar-2001 |
deraadt |
KNF
|
#
1.43 |
|
22-Feb-2001 |
markus |
use pwcopy in ssh.c, too
|
#
1.42 |
|
13-Feb-2001 |
markus |
setproctitle(user) only if getpwnam succeeds
|
#
1.41 |
|
12-Feb-2001 |
markus |
PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
|
#
1.40 |
|
10-Feb-2001 |
markus |
offer passwd before s/key
|
#
1.39 |
|
08-Feb-2001 |
markus |
strict checking
|
#
1.38 |
|
08-Feb-2001 |
markus |
fix typo
|
#
1.37 |
|
07-Feb-2001 |
markus |
move k_setpag() to a central place; ok dugsong@
|
#
1.36 |
|
04-Feb-2001 |
stevesk |
unexpand and remove end-of-line whitespace; ok markus@
|
#
1.35 |
|
04-Feb-2001 |
stevesk |
remove duplicate #include's; ok markus@
|
#
1.34 |
|
22-Jan-2001 |
markus |
rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
#
1.33 |
|
22-Jan-2001 |
markus |
no need to include; from mouring@etoh.eviladmin.org
|
#
1.32 |
|
21-Jan-2001 |
markus |
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
|
#
1.31 |
|
20-Jan-2001 |
markus |
typo
|
#
1.30 |
|
20-Jan-2001 |
markus |
pass the filename to auth_parse_options()
|
#
1.29 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
18-Jan-2001 |
markus |
1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier.
|
#
1.27 |
|
13-Jan-2001 |
markus |
support supplementary group in {Allow,Deny}Groups from stevesk@pobox.com
|
#
1.26 |
|
13-Jan-2001 |
markus |
enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu
|
#
1.25 |
|
08-Jan-2001 |
markus |
implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled).
|
#
1.24 |
|
28-Dec-2000 |
markus |
count authentication failures only
|
#
1.23 |
|
19-Dec-2000 |
markus |
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
|
#
1.22 |
|
03-Dec-2000 |
markus |
support f-secure/ssh.com 2.0.12; ok niels@
|
#
1.21 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.20 |
|
14-Oct-2000 |
markus |
branches: 1.20.2; OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons
|
#
1.19 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.18 |
|
11-Oct-2000 |
markus |
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me
|
#
1.17 |
|
11-Oct-2000 |
markus |
clear auth options unless auth sucessfull
|
#
1.16 |
|
27-Sep-2000 |
markus |
use key_type()
|
#
1.15 |
|
21-Sep-2000 |
markus |
add context to dispatch_run
|
#
1.14 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.13 |
|
20-Aug-2000 |
millert |
Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class.
|
#
1.12 |
|
07-Jul-2000 |
todd |
clean code is good code
|
#
1.11 |
|
19-Jun-2000 |
markus |
make userauth+pubkey interop with ssh.com-2.2.0
|
#
1.10 |
|
18-Jun-2000 |
markus |
split auth-rsa option parsing into auth-options add options support to authorized_keys2
|
#
1.9 |
|
18-Jun-2000 |
markus |
implement bug compatibility with ssh-2.0.13 pubkey, server side
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.8 |
|
08-May-2000 |
markus |
branches: 1.8.2; bug compat w/ ssh-2.0.13 x11, split out bugs
|
#
1.7 |
|
06-May-2000 |
markus |
add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
|
#
1.6 |
|
05-May-2000 |
markus |
log failure before sending the reply
|
#
1.5 |
|
01-May-2000 |
djm |
Add missing #ifdefs; ok - markus
|
#
1.4 |
|
01-May-2000 |
markus |
disable kerb,s/key in ssh2
|
#
1.3 |
|
27-Apr-2000 |
markus |
cleanup logging for sshd/2, respect PasswordAuth no
|
#
1.2 |
|
27-Apr-2000 |
markus |
xfree DSA blobs
|
#
1.1 |
|
26-Apr-2000 |
markus |
split auth/sshconnect in one file per protocol version
|