#
1.240 |
|
06-Jun-2024 |
djm |
Add a facility to sshd(8) to penalise particular problematic client behaviours, controlled by two new sshd_config(5) options: PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit status of its child pre-auth session processes. Through the exit status, it can observe situations where the session did not authenticate as expected. These conditions include when the client repeatedly attempted authentication unsucessfully (possibly indicating an attack against one or more accounts, e.g. password guessing), or when client behaviour caused sshd to crash (possibly indicating attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some duration (e.g. 30 seconds) against the client's address. If this time is above a minimum threshold specified by the PerSourcePenalties, then connections from the client address will be refused (along with any others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater penalties, up to a configurable maximum. A PerSourcePenaltyExemptList option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for attackers to find accounts with weak/guessable passwords or exploit bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it automatically in the near future.
much feedback markus@ and others, ok markus@
|
#
1.239 |
|
17-May-2024 |
jsg |
remove prototypes with no matching function; ok djm@
|
#
1.238 |
|
17-May-2024 |
djm |
Start the process of splitting sshd into separate binaries. This step splits sshd into a listener and a session binary. More splits are planned.
After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs.
This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary.
feedback/ok markus@ deraadt@
NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out.
|
Revision tags: OPENBSD_7_4_BASE OPENBSD_7_5_BASE
|
#
1.237 |
|
16-Aug-2023 |
djm |
defence-in-depth MaxAuthTries check in monitor; ok markus
|
#
1.236 |
|
10-May-2023 |
dtucker |
Remove now-unused prototypes for ssh1 RSA functions. From lengyijun via github PR#396.
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.235 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.234 |
|
15-Jun-2022 |
djm |
make sure that UseDNS hostname lookup happens in the monitor and not in the pledge(2)'d unprivileged process; fixes regression caused by recent refactoring spotted by henning@
|
#
1.233 |
|
27-May-2022 |
djm |
refactor authorized_keys/principals handling
remove "struct ssh *" from arguments - this was only used to pass the remote host/address. These can be passed in instead and the resulting code is less tightly coupled to ssh_api.[ch]
ok dtucker@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.232 |
|
25-Feb-2022 |
djm |
save an unneccessary alloc/free, based on patch from Martin Vahlensieck; ok dtucker@
|
#
1.231 |
|
28-Jan-2022 |
guenther |
When it's the possessive of 'it', it's spelled "its", without the apostrophe.
|
#
1.230 |
|
06-Jan-2022 |
djm |
log signature algorithm during verification by monitor; ok markus
|
#
1.229 |
|
19-Dec-2021 |
djm |
sshd side of hostbound public key auth
This is identical to the standard "publickey" method, but it also includes the initial server hostkey in the message signed by the client.
feedback / ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.228 |
|
11-Aug-2021 |
djm |
remove a bunch of %p in format strings; leftovers of debuggings past. prompted by Michael Forney, ok dtucker@
|
#
1.227 |
|
02-Jul-2021 |
dtucker |
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
|
#
1.226 |
|
30-Apr-2021 |
dtucker |
Remove now-unused skey function prototypes leftover from skey removal.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.225 |
|
15-Apr-2021 |
markus |
do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@
|
#
1.224 |
|
03-Mar-2021 |
djm |
don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.239 |
|
17-May-2024 |
jsg |
remove prototypes with no matching function; ok djm@
|
#
1.238 |
|
17-May-2024 |
djm |
Start the process of splitting sshd into separate binaries. This step splits sshd into a listener and a session binary. More splits are planned.
After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs.
This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary.
feedback/ok markus@ deraadt@
NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out.
|
Revision tags: OPENBSD_7_4_BASE OPENBSD_7_5_BASE
|
#
1.237 |
|
16-Aug-2023 |
djm |
defence-in-depth MaxAuthTries check in monitor; ok markus
|
#
1.236 |
|
10-May-2023 |
dtucker |
Remove now-unused prototypes for ssh1 RSA functions. From lengyijun via github PR#396.
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.235 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.234 |
|
15-Jun-2022 |
djm |
make sure that UseDNS hostname lookup happens in the monitor and not in the pledge(2)'d unprivileged process; fixes regression caused by recent refactoring spotted by henning@
|
#
1.233 |
|
27-May-2022 |
djm |
refactor authorized_keys/principals handling
remove "struct ssh *" from arguments - this was only used to pass the remote host/address. These can be passed in instead and the resulting code is less tightly coupled to ssh_api.[ch]
ok dtucker@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.232 |
|
25-Feb-2022 |
djm |
save an unneccessary alloc/free, based on patch from Martin Vahlensieck; ok dtucker@
|
#
1.231 |
|
28-Jan-2022 |
guenther |
When it's the possessive of 'it', it's spelled "its", without the apostrophe.
|
#
1.230 |
|
06-Jan-2022 |
djm |
log signature algorithm during verification by monitor; ok markus
|
#
1.229 |
|
19-Dec-2021 |
djm |
sshd side of hostbound public key auth
This is identical to the standard "publickey" method, but it also includes the initial server hostkey in the message signed by the client.
feedback / ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.228 |
|
11-Aug-2021 |
djm |
remove a bunch of %p in format strings; leftovers of debuggings past. prompted by Michael Forney, ok dtucker@
|
#
1.227 |
|
02-Jul-2021 |
dtucker |
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
|
#
1.226 |
|
30-Apr-2021 |
dtucker |
Remove now-unused skey function prototypes leftover from skey removal.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.225 |
|
15-Apr-2021 |
markus |
do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@
|
#
1.224 |
|
03-Mar-2021 |
djm |
don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.237 |
|
16-Aug-2023 |
djm |
defence-in-depth MaxAuthTries check in monitor; ok markus
|
#
1.236 |
|
10-May-2023 |
dtucker |
Remove now-unused prototypes for ssh1 RSA functions. From lengyijun via github PR#396.
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.235 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.234 |
|
15-Jun-2022 |
djm |
make sure that UseDNS hostname lookup happens in the monitor and not in the pledge(2)'d unprivileged process; fixes regression caused by recent refactoring spotted by henning@
|
#
1.233 |
|
27-May-2022 |
djm |
refactor authorized_keys/principals handling
remove "struct ssh *" from arguments - this was only used to pass the remote host/address. These can be passed in instead and the resulting code is less tightly coupled to ssh_api.[ch]
ok dtucker@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.232 |
|
25-Feb-2022 |
djm |
save an unneccessary alloc/free, based on patch from Martin Vahlensieck; ok dtucker@
|
#
1.231 |
|
28-Jan-2022 |
guenther |
When it's the possessive of 'it', it's spelled "its", without the apostrophe.
|
#
1.230 |
|
06-Jan-2022 |
djm |
log signature algorithm during verification by monitor; ok markus
|
#
1.229 |
|
19-Dec-2021 |
djm |
sshd side of hostbound public key auth
This is identical to the standard "publickey" method, but it also includes the initial server hostkey in the message signed by the client.
feedback / ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.228 |
|
11-Aug-2021 |
djm |
remove a bunch of %p in format strings; leftovers of debuggings past. prompted by Michael Forney, ok dtucker@
|
#
1.227 |
|
02-Jul-2021 |
dtucker |
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
|
#
1.226 |
|
30-Apr-2021 |
dtucker |
Remove now-unused skey function prototypes leftover from skey removal.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.225 |
|
15-Apr-2021 |
markus |
do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@
|
#
1.224 |
|
03-Mar-2021 |
djm |
don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.236 |
|
10-May-2023 |
dtucker |
Remove now-unused prototypes for ssh1 RSA functions. From lengyijun via github PR#396.
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.235 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.234 |
|
15-Jun-2022 |
djm |
make sure that UseDNS hostname lookup happens in the monitor and not in the pledge(2)'d unprivileged process; fixes regression caused by recent refactoring spotted by henning@
|
#
1.233 |
|
27-May-2022 |
djm |
refactor authorized_keys/principals handling
remove "struct ssh *" from arguments - this was only used to pass the remote host/address. These can be passed in instead and the resulting code is less tightly coupled to ssh_api.[ch]
ok dtucker@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.232 |
|
25-Feb-2022 |
djm |
save an unneccessary alloc/free, based on patch from Martin Vahlensieck; ok dtucker@
|
#
1.231 |
|
28-Jan-2022 |
guenther |
When it's the possessive of 'it', it's spelled "its", without the apostrophe.
|
#
1.230 |
|
06-Jan-2022 |
djm |
log signature algorithm during verification by monitor; ok markus
|
#
1.229 |
|
19-Dec-2021 |
djm |
sshd side of hostbound public key auth
This is identical to the standard "publickey" method, but it also includes the initial server hostkey in the message signed by the client.
feedback / ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.228 |
|
11-Aug-2021 |
djm |
remove a bunch of %p in format strings; leftovers of debuggings past. prompted by Michael Forney, ok dtucker@
|
#
1.227 |
|
02-Jul-2021 |
dtucker |
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
|
#
1.226 |
|
30-Apr-2021 |
dtucker |
Remove now-unused skey function prototypes leftover from skey removal.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.225 |
|
15-Apr-2021 |
markus |
do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@
|
#
1.224 |
|
03-Mar-2021 |
djm |
don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.235 |
|
17-Feb-2023 |
dtucker |
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.234 |
|
15-Jun-2022 |
djm |
make sure that UseDNS hostname lookup happens in the monitor and not in the pledge(2)'d unprivileged process; fixes regression caused by recent refactoring spotted by henning@
|
#
1.233 |
|
27-May-2022 |
djm |
refactor authorized_keys/principals handling
remove "struct ssh *" from arguments - this was only used to pass the remote host/address. These can be passed in instead and the resulting code is less tightly coupled to ssh_api.[ch]
ok dtucker@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.232 |
|
25-Feb-2022 |
djm |
save an unneccessary alloc/free, based on patch from Martin Vahlensieck; ok dtucker@
|
#
1.231 |
|
28-Jan-2022 |
guenther |
When it's the possessive of 'it', it's spelled "its", without the apostrophe.
|
#
1.230 |
|
06-Jan-2022 |
djm |
log signature algorithm during verification by monitor; ok markus
|
#
1.229 |
|
19-Dec-2021 |
djm |
sshd side of hostbound public key auth
This is identical to the standard "publickey" method, but it also includes the initial server hostkey in the message signed by the client.
feedback / ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.228 |
|
11-Aug-2021 |
djm |
remove a bunch of %p in format strings; leftovers of debuggings past. prompted by Michael Forney, ok dtucker@
|
#
1.227 |
|
02-Jul-2021 |
dtucker |
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
|
#
1.226 |
|
30-Apr-2021 |
dtucker |
Remove now-unused skey function prototypes leftover from skey removal.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.225 |
|
15-Apr-2021 |
markus |
do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@
|
#
1.224 |
|
03-Mar-2021 |
djm |
don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.234 |
|
15-Jun-2022 |
djm |
make sure that UseDNS hostname lookup happens in the monitor and not in the pledge(2)'d unprivileged process; fixes regression caused by recent refactoring spotted by henning@
|
#
1.233 |
|
27-May-2022 |
djm |
refactor authorized_keys/principals handling
remove "struct ssh *" from arguments - this was only used to pass the remote host/address. These can be passed in instead and the resulting code is less tightly coupled to ssh_api.[ch]
ok dtucker@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.232 |
|
25-Feb-2022 |
djm |
save an unneccessary alloc/free, based on patch from Martin Vahlensieck; ok dtucker@
|
#
1.231 |
|
28-Jan-2022 |
guenther |
When it's the possessive of 'it', it's spelled "its", without the apostrophe.
|
#
1.230 |
|
06-Jan-2022 |
djm |
log signature algorithm during verification by monitor; ok markus
|
#
1.229 |
|
19-Dec-2021 |
djm |
sshd side of hostbound public key auth
This is identical to the standard "publickey" method, but it also includes the initial server hostkey in the message signed by the client.
feedback / ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.228 |
|
11-Aug-2021 |
djm |
remove a bunch of %p in format strings; leftovers of debuggings past. prompted by Michael Forney, ok dtucker@
|
#
1.227 |
|
02-Jul-2021 |
dtucker |
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
|
#
1.226 |
|
30-Apr-2021 |
dtucker |
Remove now-unused skey function prototypes leftover from skey removal.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.225 |
|
15-Apr-2021 |
markus |
do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@
|
#
1.224 |
|
03-Mar-2021 |
djm |
don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.233 |
|
27-May-2022 |
djm |
refactor authorized_keys/principals handling
remove "struct ssh *" from arguments - this was only used to pass the remote host/address. These can be passed in instead and the resulting code is less tightly coupled to ssh_api.[ch]
ok dtucker@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.232 |
|
25-Feb-2022 |
djm |
save an unneccessary alloc/free, based on patch from Martin Vahlensieck; ok dtucker@
|
#
1.231 |
|
28-Jan-2022 |
guenther |
When it's the possessive of 'it', it's spelled "its", without the apostrophe.
|
#
1.230 |
|
06-Jan-2022 |
djm |
log signature algorithm during verification by monitor; ok markus
|
#
1.229 |
|
19-Dec-2021 |
djm |
sshd side of hostbound public key auth
This is identical to the standard "publickey" method, but it also includes the initial server hostkey in the message signed by the client.
feedback / ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.228 |
|
11-Aug-2021 |
djm |
remove a bunch of %p in format strings; leftovers of debuggings past. prompted by Michael Forney, ok dtucker@
|
#
1.227 |
|
02-Jul-2021 |
dtucker |
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
|
#
1.226 |
|
30-Apr-2021 |
dtucker |
Remove now-unused skey function prototypes leftover from skey removal.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.225 |
|
15-Apr-2021 |
markus |
do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@
|
#
1.224 |
|
03-Mar-2021 |
djm |
don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.232 |
|
25-Feb-2022 |
djm |
save an unneccessary alloc/free, based on patch from Martin Vahlensieck; ok dtucker@
|
#
1.231 |
|
28-Jan-2022 |
guenther |
When it's the possessive of 'it', it's spelled "its", without the apostrophe.
|
#
1.230 |
|
06-Jan-2022 |
djm |
log signature algorithm during verification by monitor; ok markus
|
#
1.229 |
|
19-Dec-2021 |
djm |
sshd side of hostbound public key auth
This is identical to the standard "publickey" method, but it also includes the initial server hostkey in the message signed by the client.
feedback / ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.228 |
|
11-Aug-2021 |
djm |
remove a bunch of %p in format strings; leftovers of debuggings past. prompted by Michael Forney, ok dtucker@
|
#
1.227 |
|
02-Jul-2021 |
dtucker |
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
|
#
1.226 |
|
30-Apr-2021 |
dtucker |
Remove now-unused skey function prototypes leftover from skey removal.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.225 |
|
15-Apr-2021 |
markus |
do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@
|
#
1.224 |
|
03-Mar-2021 |
djm |
don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.231 |
|
28-Jan-2022 |
guenther |
When it's the possessive of 'it', it's spelled "its", without the apostrophe.
|
#
1.230 |
|
06-Jan-2022 |
djm |
log signature algorithm during verification by monitor; ok markus
|
#
1.229 |
|
19-Dec-2021 |
djm |
sshd side of hostbound public key auth
This is identical to the standard "publickey" method, but it also includes the initial server hostkey in the message signed by the client.
feedback / ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.228 |
|
11-Aug-2021 |
djm |
remove a bunch of %p in format strings; leftovers of debuggings past. prompted by Michael Forney, ok dtucker@
|
#
1.227 |
|
02-Jul-2021 |
dtucker |
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
|
#
1.226 |
|
30-Apr-2021 |
dtucker |
Remove now-unused skey function prototypes leftover from skey removal.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.225 |
|
15-Apr-2021 |
markus |
do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@
|
#
1.224 |
|
03-Mar-2021 |
djm |
don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.230 |
|
06-Jan-2022 |
djm |
log signature algorithm during verification by monitor; ok markus
|
#
1.229 |
|
19-Dec-2021 |
djm |
sshd side of hostbound public key auth
This is identical to the standard "publickey" method, but it also includes the initial server hostkey in the message signed by the client.
feedback / ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.228 |
|
11-Aug-2021 |
djm |
remove a bunch of %p in format strings; leftovers of debuggings past. prompted by Michael Forney, ok dtucker@
|
#
1.227 |
|
02-Jul-2021 |
dtucker |
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
|
#
1.226 |
|
30-Apr-2021 |
dtucker |
Remove now-unused skey function prototypes leftover from skey removal.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.225 |
|
15-Apr-2021 |
markus |
do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@
|
#
1.224 |
|
03-Mar-2021 |
djm |
don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.229 |
|
19-Dec-2021 |
djm |
sshd side of hostbound public key auth
This is identical to the standard "publickey" method, but it also includes the initial server hostkey in the message signed by the client.
feedback / ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.228 |
|
11-Aug-2021 |
djm |
remove a bunch of %p in format strings; leftovers of debuggings past. prompted by Michael Forney, ok dtucker@
|
#
1.227 |
|
02-Jul-2021 |
dtucker |
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
|
#
1.226 |
|
30-Apr-2021 |
dtucker |
Remove now-unused skey function prototypes leftover from skey removal.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.225 |
|
15-Apr-2021 |
markus |
do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@
|
#
1.224 |
|
03-Mar-2021 |
djm |
don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.228 |
|
11-Aug-2021 |
djm |
remove a bunch of %p in format strings; leftovers of debuggings past. prompted by Michael Forney, ok dtucker@
|
#
1.227 |
|
02-Jul-2021 |
dtucker |
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
|
#
1.226 |
|
30-Apr-2021 |
dtucker |
Remove now-unused skey function prototypes leftover from skey removal.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.225 |
|
15-Apr-2021 |
markus |
do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@
|
#
1.224 |
|
03-Mar-2021 |
djm |
don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.227 |
|
02-Jul-2021 |
dtucker |
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
|
#
1.226 |
|
30-Apr-2021 |
dtucker |
Remove now-unused skey function prototypes leftover from skey removal.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.225 |
|
15-Apr-2021 |
markus |
do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@
|
#
1.224 |
|
03-Mar-2021 |
djm |
don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.226 |
|
30-Apr-2021 |
dtucker |
Remove now-unused skey function prototypes leftover from skey removal.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.225 |
|
15-Apr-2021 |
markus |
do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@
|
#
1.224 |
|
03-Mar-2021 |
djm |
don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.225 |
|
15-Apr-2021 |
markus |
do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@
|
#
1.224 |
|
03-Mar-2021 |
djm |
don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.224 |
|
03-Mar-2021 |
djm |
don't sshbuf_get_u32() into an enum; reported by goetze AT dovetail.com via bz3269
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.223 |
|
27-Jan-2021 |
djm |
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
|
#
1.222 |
|
27-Jan-2021 |
djm |
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.221 |
|
26-Jan-2021 |
dtucker |
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.220 |
|
22-Jan-2021 |
dtucker |
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.219 |
|
29-Dec-2020 |
djm |
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are disabled by default)
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.218 |
|
27-Nov-2020 |
djm |
clean up passing of struct passwd from monitor to preauth privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly,
Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.217 |
|
18-Oct-2020 |
djm |
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
|
#
1.216 |
|
18-Oct-2020 |
djm |
variants of the log methods that append a ssherr.h string from a supplied error code; ok markus@
|
#
1.215 |
|
16-Oct-2020 |
djm |
revised log infrastructure for OpenSSH
log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists.
ok markus@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.214 |
|
27-Aug-2020 |
djm |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it.
feedback and ok markus@
|
#
1.213 |
|
27-Aug-2020 |
djm |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.212 |
|
07-Jul-2020 |
deraadt |
correct recently broken comments
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.211 |
|
05-Jul-2020 |
djm |
some language improvements; ok markus
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.210 |
|
13-Mar-2020 |
djm |
spelling errors in comments; no code change from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.209 |
|
26-Feb-2020 |
jsg |
change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.208 |
|
06-Feb-2020 |
naddy |
Replace "security key" with "authenticator" in program messages.
This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.207 |
|
23-Jan-2020 |
dtucker |
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.206 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.205 |
|
25-Nov-2019 |
djm |
redundant test
|
#
1.204 |
|
25-Nov-2019 |
djm |
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them.
feedback deraadt, ok markus
|
#
1.203 |
|
25-Nov-2019 |
djm |
Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key).
ok markus@
|
#
1.202 |
|
25-Nov-2019 |
djm |
Add new structure for signature options
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field.
with and ok markus@
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.201 |
|
19-Nov-2019 |
djm |
a little more information from the monitor when signature verification fails.
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.200 |
|
31-Oct-2019 |
djm |
Refactor signing - use sshkey_sign for everything, including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that.
Suggested by / ok markus@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.199 |
|
07-Oct-2019 |
djm |
reversed test yielded incorrect debug message
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.198 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.197 |
|
21-Jan-2019 |
djm |
merge kexkem[cs] into kexgen
from markus@ ok djm@
|
#
1.196 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla ECDH
from markus@ ok djm@
|
#
1.195 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla DH KEX
from markus@ ok djm@
|
#
1.194 |
|
21-Jan-2019 |
djm |
use KEM API for vanilla c25519 KEX
|
#
1.193 |
|
21-Jan-2019 |
djm |
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
#
1.192 |
|
19-Jan-2019 |
djm |
remove last references to active_state
with & ok markus@
|
#
1.191 |
|
19-Jan-2019 |
djm |
convert monitor.c to new packet API
with & ok markus@
|
#
1.190 |
|
19-Jan-2019 |
djm |
convert auth.c to new packet API
with & ok markus@
|
#
1.189 |
|
19-Jan-2019 |
djm |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.188 |
|
16-Nov-2018 |
djm |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.187 |
|
13-Sep-2018 |
djm |
hold our collective noses and use the openssl-1.1.x API in OpenSSH; feedback and ok tb@ jsing@ markus@
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.186 |
|
20-Jul-2018 |
djm |
remove unused zlib.h
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.185 |
|
11-Jul-2018 |
markus |
remove legacy key emulation layer; ok djm@
|
#
1.184 |
|
10-Jul-2018 |
djm |
kerberos/gssapi fixes for buffer removal
|
#
1.183 |
|
09-Jul-2018 |
markus |
sshd: switch monitor to sshbuf API; lots of help & ok djm@
|
#
1.182 |
|
09-Jul-2018 |
markus |
sshd: switch authentication to sshbuf API; ok djm@
|
#
1.181 |
|
09-Jul-2018 |
markus |
sshd: switch loginmsg to sshbuf API; ok djm@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.180 |
|
03-Mar-2018 |
djm |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.179 |
|
05-Feb-2018 |
tb |
Add a couple of non-negativity checks to avoid close(-1).
ok djm
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.178 |
|
23-Jan-2018 |
djm |
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations.
ok markus@
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|
#
1.177 |
|
21-Dec-2017 |
djm |
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
|
#
1.176 |
|
18-Dec-2017 |
djm |
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
|
#
1.175 |
|
05-Oct-2017 |
djm |
replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.174 |
|
02-Oct-2017 |
djm |
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
|
#
1.173 |
|
12-Sep-2017 |
djm |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
|
#
1.172 |
|
24-Jun-2017 |
djm |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
1.171 |
|
31-May-2017 |
markus |
use SO_ZEROIZE for privsep communication (if available)
|
#
1.170 |
|
31-May-2017 |
markus |
clear session keys from memory; ok djm@
|
#
1.169 |
|
30-May-2017 |
markus |
switch auth2-pubkey.c to modern APIs; with & ok djm@
|
#
1.168 |
|
30-May-2017 |
markus |
switch from Key typedef with struct sshkey; ok djm@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.167 |
|
03-Feb-2017 |
djm |
use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g.
Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
ok markus@ bz#113
|
#
1.166 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.165 |
|
05-Sep-2016 |
djm |
enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen for testing; ok markus@
|
#
1.164 |
|
30-Aug-2016 |
djm |
restrict monitor auth calls to be allowed only when their respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
|
#
1.163 |
|
19-Aug-2016 |
djm |
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
|
#
1.162 |
|
13-Aug-2016 |
markus |
remove ssh1 server code; ok djm@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.161 |
|
22-Jul-2016 |
djm |
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
|
#
1.160 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
#
1.159 |
|
02-May-2016 |
djm |
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
|
#
1.158 |
|
07-Mar-2016 |
djm |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.157 |
|
15-Feb-2016 |
djm |
memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen
|
#
1.156 |
|
14-Jan-2016 |
markus |
remove roaming support; ok djm@
|
#
1.155 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
#
1.154 |
|
20-Oct-2015 |
mmcc |
Compare pointers to NULL rather than 0.
ok djm@
|
#
1.153 |
|
04-Sep-2015 |
djm |
don't record hostbased authentication hostkeys as user keys in test for multiple authentication with the same key
|
#
1.152 |
|
02-Sep-2015 |
jsg |
Fix occurrences of "r = func() != 0" which result in the wrong error codes being returned due to != having higher precedence than =.
ok deraadt@ markus@
|
#
1.151 |
|
21-Aug-2015 |
deraadt |
Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like. Discussed with tedu, millert, otto.... and ok djm
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.150 |
|
22-Jun-2015 |
djm |
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@
|
#
1.149 |
|
04-May-2015 |
djm |
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools.
ok markus@
|
#
1.148 |
|
01-May-2015 |
djm |
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
|
#
1.147 |
|
27-Apr-2015 |
djm |
fix compilation with OPENSSL=no; ok dtucker@
|
#
1.146 |
|
17-Apr-2015 |
djm |
don't call record_login() in monitor when UseLogin is enabled; bz#278 reported by drk AT sgi.com; ok dtucker
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.145 |
|
20-Feb-2015 |
djm |
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
|
#
1.144 |
|
16-Feb-2015 |
djm |
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered.
ok markus@
|
#
1.143 |
|
13-Feb-2015 |
markus |
make rekey_limit for sshd w/privsep work; ok djm@ dtucker@
|
#
1.142 |
|
06-Feb-2015 |
millert |
SIZE_MAX is standard, we should be using it in preference to the obsolete SIZE_T_MAX. OK miod@ beck@
|
#
1.141 |
|
20-Jan-2015 |
deraadt |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
1.140 |
|
19-Jan-2015 |
markus |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
1.139 |
|
19-Jan-2015 |
markus |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
|
#
1.138 |
|
14-Jan-2015 |
djm |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
1.137 |
|
13-Jan-2015 |
djm |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
1.136 |
|
22-Dec-2014 |
djm |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.135 |
|
15-Jul-2014 |
millert |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
|
#
1.134 |
|
24-Jun-2014 |
djm |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
|
#
1.133 |
|
03-May-2014 |
markus |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
|
#
1.132 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.131 |
|
02-Feb-2014 |
djm |
convert memset of potentially-private data to explicit_bzero()
|
#
1.130 |
|
31-Jan-2014 |
tedu |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
1.129 |
|
29-Jan-2014 |
djm |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
1.128 |
|
04-Nov-2013 |
markus |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.127 |
|
19-Jul-2013 |
markus |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
1.126 |
|
21-Jun-2013 |
djm |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
1.125 |
|
19-May-2013 |
djm |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
|
#
1.124 |
|
17-May-2013 |
djm |
bye, bye xfree(); ok markus@
|
#
1.123 |
|
16-May-2013 |
dtucker |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
1.122 |
|
07-Mar-2013 |
markus |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
1.121 |
|
07-Mar-2013 |
djm |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.120 |
|
11-Dec-2012 |
markus |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
1.119 |
|
02-Dec-2012 |
djm |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
|
#
1.118 |
|
04-Nov-2012 |
djm |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.117 |
|
22-Jun-2012 |
dtucker |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.116 |
|
05-Jan-2012 |
djm |
memleak on error path
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.115 |
|
23-Jun-2011 |
djm |
ignore EINTR errors from poll()
|
#
1.114 |
|
17-Jun-2011 |
djm |
make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
|
#
1.113 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.112 |
|
20-May-2011 |
djm |
use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
#
1.111 |
|
15-May-2011 |
djm |
use FD_CLOEXEC consistently; patch from zion AT x96.org
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.110 |
|
09-Sep-2010 |
djm |
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases.
This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client.
ok naddy@
|
#
1.109 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.108 |
|
13-Jul-2010 |
djm |
s/timing_safe_cmp/timingsafe_bcmp/g
|
#
1.107 |
|
13-Jul-2010 |
djm |
implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.106 |
|
07-Mar-2010 |
dtucker |
Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
|
#
1.105 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.104 |
|
12-Jun-2009 |
andreas |
Fix warnings found by chl@ and djm@ and change roaming_atomicio's return type to match atomicio's Diff from djm@, ok markus@
|
#
1.103 |
|
28-May-2009 |
andreas |
Keep track of number of bytes read and written. Needed for upcoming changes. Most code from Martin Forssen, maf at appgate dot com. ok markus@
|
#
1.102 |
|
25-May-2009 |
andreas |
Put the globals in packet.c into a struct and don't access it directly from other files. No functional changes. ok markus@ djm@
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.101 |
|
12-Feb-2009 |
djm |
some paranoia: check that the serialised key is really KEY_RSA before diddling its internals
|
#
1.100 |
|
04-Nov-2008 |
djm |
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.99 |
|
10-Jul-2008 |
markus |
sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@
|
#
1.98 |
|
04-Jul-2008 |
dtucker |
Make debug a little clearer. ok djm@
|
#
1.97 |
|
13-Jun-2008 |
dtucker |
Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm@
|
#
1.96 |
|
08-May-2008 |
djm |
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
#
1.95 |
|
08-May-2008 |
djm |
Implement a channel success/failure status confirmation callback mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel).
Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory.
ok markus@ (as part of a larger diff)
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.94 |
|
29-Oct-2007 |
dtucker |
Send config block back to slave for invalid users too so options set by a Match block (eg Banner) behave the same for non-existent users. Found by and ok djm@
|
#
1.93 |
|
21-Sep-2007 |
djm |
unifdef -DBSD_AUTH unifdef -USKEY
These options have been in use for some years; ok markus@ "no objection" millert@
|
#
1.92 |
|
04-Sep-2007 |
djm |
make file descriptor passing code return an error rather than call fatal() when it encounters problems, and use this to make session multiplexing masters survive slaves failing to pass all stdio FDs; ok markus@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.91 |
|
17-May-2007 |
djm |
pass received SIGINT from monitor to postauth child so it can clean up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; ok markus@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.90 |
|
19-Feb-2007 |
dtucker |
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
|
#
1.89 |
|
07-Nov-2006 |
markus |
correctly check for bad signatures in the monitor, otherwise the monitor and the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.88 |
|
12-Aug-2006 |
miod |
branches: 1.88.4; Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes)
|
#
1.87 |
|
06-Aug-2006 |
stevesk |
"zlib.h" can be <zlib.h>; ok djm@ markus@
|
#
1.86 |
|
04-Aug-2006 |
stevesk |
spaces
|
#
1.85 |
|
03-Aug-2006 |
deraadt |
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
|
#
1.84 |
|
26-Jul-2006 |
stevesk |
move #include <stdlib.h> out of includes.h
|
#
1.83 |
|
26-Jul-2006 |
stevesk |
move #include <sys/param.h> out of includes.h
|
#
1.82 |
|
22-Jul-2006 |
stevesk |
move #include <string.h> out of includes.h
|
#
1.81 |
|
11-Jul-2006 |
stevesk |
move #include <errno.h> out of includes.h; ok markus@
|
#
1.80 |
|
09-Jul-2006 |
stevesk |
move #include <fcntl.h> out of includes.h
|
#
1.79 |
|
08-Jul-2006 |
stevesk |
missed these from last commit: move #include <sys/socket.h> out of includes.h
|
#
1.78 |
|
06-Jul-2006 |
stevesk |
move #include <pwd.h> out of includes.h; ok markus@
|
#
1.77 |
|
30-Mar-2006 |
dtucker |
Prevent duplicate log messages when privsep=yes; ok djm@
|
#
1.76 |
|
25-Mar-2006 |
djm |
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
|
#
1.75 |
|
25-Mar-2006 |
djm |
introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh
xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die
feedback and ok deraadt@
|
#
1.74 |
|
20-Mar-2006 |
deraadt |
spacing
|
#
1.73 |
|
20-Mar-2006 |
deraadt |
annoying spacing fixes getting in the way of real diffs
|
#
1.72 |
|
20-Mar-2006 |
djm |
memory leaks detected by Coverity via elad AT netbsd.org; deraadt@ ok
that should be all of them now
|
#
1.71 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.70 |
|
19-Mar-2006 |
deraadt |
RCSID() can die
|
#
1.69 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.68 |
|
20-Feb-2006 |
stevesk |
branches: 1.68.2; move #include <signal.h> out of includes.h; ok markus@
|
#
1.67 |
|
10-Feb-2006 |
stevesk |
move #include <sys/wait.h> out of includes.h; ok markus@
|
#
1.66 |
|
08-Feb-2006 |
stevesk |
small KNF
|
#
1.65 |
|
08-Feb-2006 |
stevesk |
move #include <paths.h> out of includes.h; ok markus@
|
#
1.64 |
|
13-Oct-2005 |
stevesk |
KNF; ok djm@
|
Revision tags: OPENBSD_3_7_BASE OPENBSD_3_8_BASE
|
#
1.63 |
|
10-Mar-2005 |
deraadt |
branches: 1.63.2; 1.63.4; spacing
|
#
1.62 |
|
30-Jan-2005 |
dtucker |
Make code match intent; ok djm@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.61 |
|
17-Jul-2004 |
dtucker |
branches: 1.61.2; Move "Last logged in at.." message generation to the monitor, right before recording the new login. Fixes missing lastlog message when /var/log/lastlog is not world-readable and incorrect datestamp when multiple sessions are used (bz #463); much assistance & ok markus@
|
#
1.60 |
|
22-Jun-2004 |
dtucker |
Change login->username, will prevent -Wshadow errors in Portable; ok markus@
|
#
1.59 |
|
21-Jun-2004 |
avsm |
make ssh -Wshadow clean, no functional changes markus@ ok
|
#
1.58 |
|
13-Jun-2004 |
djm |
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
#
1.57 |
|
11-May-2004 |
deraadt |
improve some code lint did not like; djm millert ok
|
#
1.56 |
|
09-May-2004 |
djm |
kill some more tiny files; ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.55 |
|
05-Feb-2004 |
dtucker |
branches: 1.55.2; Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
|
#
1.54 |
|
21-Nov-2003 |
djm |
unexpand and delete whitespace at EOL; ok markus@
|
#
1.53 |
|
18-Nov-2003 |
djm |
unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@
|
#
1.52 |
|
17-Nov-2003 |
markus |
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
|
#
1.51 |
|
04-Nov-2003 |
djm |
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
|
#
1.50 |
|
23-Sep-2003 |
markus |
replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.49 |
|
28-Aug-2003 |
markus |
branches: 1.49.2; remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
|
#
1.48 |
|
26-Aug-2003 |
markus |
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
|
#
1.47 |
|
24-Aug-2003 |
deraadt |
64 bit cleanups; markus ok
|
#
1.46 |
|
22-Aug-2003 |
markus |
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
|
#
1.45 |
|
22-Jul-2003 |
markus |
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
|
#
1.44 |
|
24-Jun-2003 |
markus |
int -> u_int; ok djm@, deraadt@, mouring@
|
#
1.43 |
|
12-Jun-2003 |
markus |
typos; dtucker at zip.com.au
|
#
1.42 |
|
02-Jun-2003 |
markus |
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
|
#
1.41 |
|
24-May-2003 |
djm |
cast some types for printing; ok markus@
|
#
1.40 |
|
14-May-2003 |
markus |
http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker
|
#
1.39 |
|
14-May-2003 |
markus |
implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
|
#
1.38 |
|
08-Apr-2003 |
itojun |
rename log() into logit() to avoid name conflict. markus ok, from netbsd
|
#
1.37 |
|
02-Apr-2003 |
markus |
reapply rekeying chage, tested by henning@, ok djm@
|
#
1.36 |
|
01-Apr-2003 |
markus |
backout rekeying changes (for 3.6.1)
|
#
1.35 |
|
01-Apr-2003 |
markus |
rekeying bugfixes and automatic rekeying:
* both client and server rekey _automatically_ (a) after 2^31 packets, because after 2^32 packets the sequence number for packets wraps (b) after 2^(blocksize_in_bits/4) blocks (see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt) (a) and (b) are _enabled_ by default, and only disabled for known openssh versions, that don't support rekeying properly. * client option 'RekeyLimit' * do not reply to requests during rekeying
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.34 |
|
23-Mar-2003 |
markus |
branches: 1.34.2; unbreak rekeying for privsep; ok millert@
|
#
1.33 |
|
05-Mar-2003 |
markus |
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
|
#
1.32 |
|
16-Feb-2003 |
markus |
fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@
|
#
1.31 |
|
04-Feb-2003 |
markus |
skey/bsdauth: use 0 to indicate failure instead of -1, because the buffer API only supports unsigned ints.
|
#
1.30 |
|
05-Nov-2002 |
markus |
handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.29 |
|
26-Sep-2002 |
markus |
branches: 1.29.2; krb4 + privsep; ok dugsong@, deraadt@
|
#
1.28 |
|
24-Sep-2002 |
markus |
only call kerberos code for authctxt->valid
|
#
1.27 |
|
23-Sep-2002 |
markus |
only call auth_krb5 if kerberos is enabled; ok deraadt@
|
#
1.26 |
|
09-Sep-2002 |
markus |
signed vs unsigned from -pedantic; ok henning@
|
#
1.25 |
|
09-Sep-2002 |
itojun |
kerberos support for privsep. confirmed to work by lha@stacken.kth.se patch from markus
|
#
1.24 |
|
29-Aug-2002 |
stevesk |
pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org> NOTE: there are also p-specific parts to this patch. ok markus@
|
#
1.23 |
|
02-Aug-2002 |
millert |
Change mm_zalloc() sanity checks to be more in line with what we do in calloc() and add a check to monitor_mm.c. OK provos@ and markus@
|
#
1.22 |
|
22-Jul-2002 |
stevesk |
u_int here; ok provos@
|
#
1.21 |
|
27-Jun-2002 |
deraadt |
use xfree()
|
#
1.20 |
|
27-Jun-2002 |
deraadt |
improve mm_zalloc check; markus ok
|
#
1.19 |
|
26-Jun-2002 |
deraadt |
correct %u
|
#
1.18 |
|
26-Jun-2002 |
deraadt |
be careful in mm_zalloc
|
#
1.17 |
|
22-Jun-2002 |
stevesk |
save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@
|
#
1.16 |
|
21-Jun-2002 |
djm |
Don't initialise compression buffers when compression=no in sshd_config; ok Niels@
|
#
1.15 |
|
19-Jun-2002 |
markus |
make the monitor sync the transfer ssh1 session key; transfer keycontext only for RC4 (this is still depends on EVP implementation details and is broken).
|
#
1.14 |
|
04-Jun-2002 |
markus |
__FUNCTION__ -> __func__
|
#
1.13 |
|
04-Jun-2002 |
markus |
save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@
|
#
1.12 |
|
04-Jun-2002 |
markus |
only allow enabled authentication methods; ok provos@
|
#
1.11 |
|
15-May-2002 |
mouring |
branches: 1.11.2; 1.11.4; 'monitor' variable clashes with at least one lame platform (NeXT). Renamed to 'pmonitor'. provos@
|
#
1.10 |
|
12-May-2002 |
djm |
Fix sshd Banner option for privsep; ok markus@ provos@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
30-Mar-2002 |
markus |
branches: 1.9.2; check waitpid for EINTR; based on patch from peter@ifm.liu.se
|
#
1.8 |
|
27-Mar-2002 |
mouring |
monitor_allowed_key() returns int instead of pointer. ok markus@
|
#
1.7 |
|
24-Mar-2002 |
stevesk |
remove "\n" from fatal()
|
#
1.6 |
|
21-Mar-2002 |
stevesk |
fix NULL %s on debug3(); ok markus@
|
#
1.5 |
|
19-Mar-2002 |
markus |
use SSH_SESSION_KEY_LENGTH for key length
|
#
1.4 |
|
19-Mar-2002 |
markus |
make getpwnamallow() allways call pwcopy()
|
#
1.3 |
|
19-Mar-2002 |
markus |
whitespace KNF
|
#
1.2 |
|
19-Mar-2002 |
markus |
clean up prototypes
|
#
1.1 |
|
18-Mar-2002 |
provos |
implementation of the interface between privileged and unprivileged process for ssh-privsep
|