#
1.71 |
|
30-Mar-2022 |
djm |
select post-quantum KEX sntrup761x25519-sha512@openssh.com as the default; ok markus@
|
#
1.70 |
|
10-Nov-2021 |
djm |
add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones).
ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.69 |
|
29-Aug-2021 |
djm |
After years of forewarning, disable the RSA/SHA-1 signature algorithm by default. It is feasible to create colliding SHA1 hashes, so we need to deprecate its use.
RSA/SHA-256/512 remains available and will be transparently selected instead of RSA/SHA1 for most SSH servers released in the last five+ years. There is no need to regenerate RSA keys.
The use of RSA/SHA1 can be re-enabled by adding "ssh-rsa" to the PubkeyAcceptedAlgorithms directives on the client and server.
ok dtucker deraadt
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.68 |
|
03-Oct-2020 |
djm |
prefer ed25519 signature algorithm variants to ECDSA; ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.67 |
|
24-Jan-2020 |
djm |
remove ssh-rsa (SHA1) from the list of allowed CA signature algorithms ok markus
|
#
1.66 |
|
23-Jan-2020 |
dtucker |
Remove unsupported algorithms from list of defaults at run time and remove ifdef and distinct settings for OPENSSL=no case.
This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@
|
#
1.65 |
|
22-Jan-2020 |
tedu |
remove diffie-hellman-group14-sha1 from default kex to see what happens. general mostly ok
|
#
1.64 |
|
16-Dec-2019 |
djm |
sort sk-* methods behind their plain key methods cousins for now
|
#
1.63 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.62 |
|
10-Dec-2019 |
djm |
add security key types to list of keys allowed to act as CAs; spotted by Ron Frederick
|
#
1.61 |
|
12-Nov-2019 |
markus |
enable ed25519 support; ok djm
|
#
1.60 |
|
01-Nov-2019 |
djm |
remove duplicate PUBKEY_DEFAULT_PK_ALG on !WITH_OPENSSL path
|
#
1.59 |
|
31-Oct-2019 |
djm |
Separate myproposal.h userauth pubkey types
U2F/FIDO keys are not supported for host authentication, so we need a separate list for user keys.
feedback & ok markus@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.58 |
|
23-Feb-2019 |
djm |
openssh-7.9 accidentally reused the server's algorithm lists in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method.
This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method.
Reported by nuxi AT vault24.org via bz#2697; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.57 |
|
12-Sep-2018 |
djm |
add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa.
ok markus@
|
#
1.56 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
07-May-2017 |
djm |
Don't offer CBC ciphers by default in the client. ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.54 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.53 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.52 |
|
05-Sep-2016 |
djm |
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH.
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway.
ok deraadt, markus, dtucker
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.51 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.50 |
|
09-Feb-2016 |
djm |
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@
|
#
1.49 |
|
05-Dec-2015 |
markus |
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@
|
#
1.48 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.47 |
|
10-Jul-2015 |
markus |
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
|
#
1.46 |
|
03-Jul-2015 |
djm |
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@
|
#
1.45 |
|
03-Jul-2015 |
djm |
delete support for legacy v00 certificates; "sure" markus@ dtucker@
|
#
1.44 |
|
27-May-2015 |
dtucker |
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
#
1.43 |
|
21-Apr-2015 |
jsg |
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again.
ok deraadt@
|
#
1.42 |
|
24-Mar-2015 |
djm |
promote chacha20-poly1305@openssh.com to be the default cipher; ok markus
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.41 |
|
11-Jul-2014 |
tedu |
by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
|
#
1.40 |
|
30-Apr-2014 |
naddy |
UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
|
#
1.39 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.38 |
|
27-Mar-2014 |
markus |
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
#
1.37 |
|
26-Mar-2014 |
deraadt |
The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy.
|
#
1.36 |
|
25-Mar-2014 |
markus |
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.35 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
#
1.34 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.33 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.32 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.31 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.30 |
|
04-Oct-2012 |
markus |
add umac128 variant; ok djm@ at n2k12
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.29 |
|
28-Jun-2012 |
dtucker |
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.28 |
|
02-Aug-2011 |
djm |
Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
feedback and ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.27 |
|
01-Sep-2010 |
djm |
prefer ECDH in a 256 bit curve field; prompted by naddy@
|
#
1.26 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.25 |
|
16-Apr-2010 |
djm |
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes:
move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.24 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.23 |
|
23-Jan-2009 |
djm |
prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC modes; ok markus@
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.22 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE
|
#
1.21 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
#
1.20 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.19 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.18 |
|
25-Jul-2005 |
markus |
branches: 1.18.2; 1.18.4; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.17 |
|
23-May-2005 |
djm |
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.16 |
|
13-Jun-2004 |
djm |
branches: 1.16.2; 1.16.4; implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.15 |
|
17-May-2003 |
markus |
branches: 1.15.2; 1.15.4; experimental support for aes-ctr modes from http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt ok djm@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.14 |
|
03-Apr-2002 |
markus |
branches: 1.14.4; 1.14.6; re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net
|
#
1.13 |
|
21-Jan-2002 |
markus |
remove "rijndael-*", just use "aes-" since this how rijndael is called in the drafts; ok stevesk@
|
Revision tags: OPENBSD_2_9_BASE OPENBSD_3_0_BASE
|
#
1.12 |
|
05-Mar-2001 |
deraadt |
branches: 1.12.2; 1.12.4; switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok
|
#
1.11 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.10 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.9 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.8 |
|
13-Oct-2000 |
markus |
branches: 1.8.2; prefer no compression
|
#
1.7 |
|
13-Oct-2000 |
markus |
rijndael/aes support
|
#
1.6 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.5 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.4 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.3 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.2 |
|
08-May-2000 |
markus |
branches: 1.2.2; complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
|
#
1.1 |
|
04-Apr-2000 |
markus |
ssh2 client implementation, interops w/ ssh.com and lsh servers.
|
#
1.70 |
|
10-Nov-2021 |
djm |
add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones).
ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.69 |
|
29-Aug-2021 |
djm |
After years of forewarning, disable the RSA/SHA-1 signature algorithm by default. It is feasible to create colliding SHA1 hashes, so we need to deprecate its use.
RSA/SHA-256/512 remains available and will be transparently selected instead of RSA/SHA1 for most SSH servers released in the last five+ years. There is no need to regenerate RSA keys.
The use of RSA/SHA1 can be re-enabled by adding "ssh-rsa" to the PubkeyAcceptedAlgorithms directives on the client and server.
ok dtucker deraadt
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.68 |
|
03-Oct-2020 |
djm |
prefer ed25519 signature algorithm variants to ECDSA; ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.67 |
|
24-Jan-2020 |
djm |
remove ssh-rsa (SHA1) from the list of allowed CA signature algorithms ok markus
|
#
1.66 |
|
23-Jan-2020 |
dtucker |
Remove unsupported algorithms from list of defaults at run time and remove ifdef and distinct settings for OPENSSL=no case.
This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@
|
#
1.65 |
|
22-Jan-2020 |
tedu |
remove diffie-hellman-group14-sha1 from default kex to see what happens. general mostly ok
|
#
1.64 |
|
16-Dec-2019 |
djm |
sort sk-* methods behind their plain key methods cousins for now
|
#
1.63 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.62 |
|
10-Dec-2019 |
djm |
add security key types to list of keys allowed to act as CAs; spotted by Ron Frederick
|
#
1.61 |
|
12-Nov-2019 |
markus |
enable ed25519 support; ok djm
|
#
1.60 |
|
01-Nov-2019 |
djm |
remove duplicate PUBKEY_DEFAULT_PK_ALG on !WITH_OPENSSL path
|
#
1.59 |
|
31-Oct-2019 |
djm |
Separate myproposal.h userauth pubkey types
U2F/FIDO keys are not supported for host authentication, so we need a separate list for user keys.
feedback & ok markus@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.58 |
|
23-Feb-2019 |
djm |
openssh-7.9 accidentally reused the server's algorithm lists in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method.
This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method.
Reported by nuxi AT vault24.org via bz#2697; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.57 |
|
12-Sep-2018 |
djm |
add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa.
ok markus@
|
#
1.56 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
07-May-2017 |
djm |
Don't offer CBC ciphers by default in the client. ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.54 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.53 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.52 |
|
05-Sep-2016 |
djm |
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH.
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway.
ok deraadt, markus, dtucker
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.51 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.50 |
|
09-Feb-2016 |
djm |
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@
|
#
1.49 |
|
05-Dec-2015 |
markus |
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@
|
#
1.48 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.47 |
|
10-Jul-2015 |
markus |
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
|
#
1.46 |
|
03-Jul-2015 |
djm |
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@
|
#
1.45 |
|
03-Jul-2015 |
djm |
delete support for legacy v00 certificates; "sure" markus@ dtucker@
|
#
1.44 |
|
27-May-2015 |
dtucker |
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
#
1.43 |
|
21-Apr-2015 |
jsg |
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again.
ok deraadt@
|
#
1.42 |
|
24-Mar-2015 |
djm |
promote chacha20-poly1305@openssh.com to be the default cipher; ok markus
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.41 |
|
11-Jul-2014 |
tedu |
by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
|
#
1.40 |
|
30-Apr-2014 |
naddy |
UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
|
#
1.39 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.38 |
|
27-Mar-2014 |
markus |
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
#
1.37 |
|
26-Mar-2014 |
deraadt |
The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy.
|
#
1.36 |
|
25-Mar-2014 |
markus |
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.35 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
#
1.34 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.33 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.32 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.31 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.30 |
|
04-Oct-2012 |
markus |
add umac128 variant; ok djm@ at n2k12
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.29 |
|
28-Jun-2012 |
dtucker |
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.28 |
|
02-Aug-2011 |
djm |
Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
feedback and ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.27 |
|
01-Sep-2010 |
djm |
prefer ECDH in a 256 bit curve field; prompted by naddy@
|
#
1.26 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.25 |
|
16-Apr-2010 |
djm |
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes:
move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.24 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.23 |
|
23-Jan-2009 |
djm |
prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC modes; ok markus@
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.22 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE
|
#
1.21 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
#
1.20 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.19 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.18 |
|
25-Jul-2005 |
markus |
branches: 1.18.2; 1.18.4; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.17 |
|
23-May-2005 |
djm |
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.16 |
|
13-Jun-2004 |
djm |
branches: 1.16.2; 1.16.4; implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.15 |
|
17-May-2003 |
markus |
branches: 1.15.2; 1.15.4; experimental support for aes-ctr modes from http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt ok djm@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.14 |
|
03-Apr-2002 |
markus |
branches: 1.14.4; 1.14.6; re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net
|
#
1.13 |
|
21-Jan-2002 |
markus |
remove "rijndael-*", just use "aes-" since this how rijndael is called in the drafts; ok stevesk@
|
Revision tags: OPENBSD_2_9_BASE OPENBSD_3_0_BASE
|
#
1.12 |
|
05-Mar-2001 |
deraadt |
branches: 1.12.2; 1.12.4; switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok
|
#
1.11 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.10 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.9 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.8 |
|
13-Oct-2000 |
markus |
branches: 1.8.2; prefer no compression
|
#
1.7 |
|
13-Oct-2000 |
markus |
rijndael/aes support
|
#
1.6 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.5 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.4 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.3 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.2 |
|
08-May-2000 |
markus |
branches: 1.2.2; complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
|
#
1.1 |
|
04-Apr-2000 |
markus |
ssh2 client implementation, interops w/ ssh.com and lsh servers.
|
#
1.69 |
|
29-Aug-2021 |
djm |
After years of forewarning, disable the RSA/SHA-1 signature algorithm by default. It is feasible to create colliding SHA1 hashes, so we need to deprecate its use.
RSA/SHA-256/512 remains available and will be transparently selected instead of RSA/SHA1 for most SSH servers released in the last five+ years. There is no need to regenerate RSA keys.
The use of RSA/SHA1 can be re-enabled by adding "ssh-rsa" to the PubkeyAcceptedAlgorithms directives on the client and server.
ok dtucker deraadt
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.68 |
|
03-Oct-2020 |
djm |
prefer ed25519 signature algorithm variants to ECDSA; ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.67 |
|
24-Jan-2020 |
djm |
remove ssh-rsa (SHA1) from the list of allowed CA signature algorithms ok markus
|
#
1.66 |
|
23-Jan-2020 |
dtucker |
Remove unsupported algorithms from list of defaults at run time and remove ifdef and distinct settings for OPENSSL=no case.
This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@
|
#
1.65 |
|
22-Jan-2020 |
tedu |
remove diffie-hellman-group14-sha1 from default kex to see what happens. general mostly ok
|
#
1.64 |
|
16-Dec-2019 |
djm |
sort sk-* methods behind their plain key methods cousins for now
|
#
1.63 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.62 |
|
10-Dec-2019 |
djm |
add security key types to list of keys allowed to act as CAs; spotted by Ron Frederick
|
#
1.61 |
|
12-Nov-2019 |
markus |
enable ed25519 support; ok djm
|
#
1.60 |
|
01-Nov-2019 |
djm |
remove duplicate PUBKEY_DEFAULT_PK_ALG on !WITH_OPENSSL path
|
#
1.59 |
|
31-Oct-2019 |
djm |
Separate myproposal.h userauth pubkey types
U2F/FIDO keys are not supported for host authentication, so we need a separate list for user keys.
feedback & ok markus@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.58 |
|
23-Feb-2019 |
djm |
openssh-7.9 accidentally reused the server's algorithm lists in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method.
This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method.
Reported by nuxi AT vault24.org via bz#2697; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.57 |
|
12-Sep-2018 |
djm |
add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa.
ok markus@
|
#
1.56 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
07-May-2017 |
djm |
Don't offer CBC ciphers by default in the client. ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.54 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.53 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.52 |
|
05-Sep-2016 |
djm |
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH.
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway.
ok deraadt, markus, dtucker
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.51 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.50 |
|
09-Feb-2016 |
djm |
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@
|
#
1.49 |
|
05-Dec-2015 |
markus |
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@
|
#
1.48 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.47 |
|
10-Jul-2015 |
markus |
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
|
#
1.46 |
|
03-Jul-2015 |
djm |
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@
|
#
1.45 |
|
03-Jul-2015 |
djm |
delete support for legacy v00 certificates; "sure" markus@ dtucker@
|
#
1.44 |
|
27-May-2015 |
dtucker |
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
#
1.43 |
|
21-Apr-2015 |
jsg |
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again.
ok deraadt@
|
#
1.42 |
|
24-Mar-2015 |
djm |
promote chacha20-poly1305@openssh.com to be the default cipher; ok markus
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.41 |
|
11-Jul-2014 |
tedu |
by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
|
#
1.40 |
|
30-Apr-2014 |
naddy |
UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
|
#
1.39 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.38 |
|
27-Mar-2014 |
markus |
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
#
1.37 |
|
26-Mar-2014 |
deraadt |
The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy.
|
#
1.36 |
|
25-Mar-2014 |
markus |
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.35 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
#
1.34 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.33 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.32 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.31 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.30 |
|
04-Oct-2012 |
markus |
add umac128 variant; ok djm@ at n2k12
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.29 |
|
28-Jun-2012 |
dtucker |
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.28 |
|
02-Aug-2011 |
djm |
Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
feedback and ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.27 |
|
01-Sep-2010 |
djm |
prefer ECDH in a 256 bit curve field; prompted by naddy@
|
#
1.26 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.25 |
|
16-Apr-2010 |
djm |
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes:
move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.24 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.23 |
|
23-Jan-2009 |
djm |
prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC modes; ok markus@
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.22 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE
|
#
1.21 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
#
1.20 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.19 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.18 |
|
25-Jul-2005 |
markus |
branches: 1.18.2; 1.18.4; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.17 |
|
23-May-2005 |
djm |
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.16 |
|
13-Jun-2004 |
djm |
branches: 1.16.2; 1.16.4; implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.15 |
|
17-May-2003 |
markus |
branches: 1.15.2; 1.15.4; experimental support for aes-ctr modes from http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt ok djm@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.14 |
|
03-Apr-2002 |
markus |
branches: 1.14.4; 1.14.6; re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net
|
#
1.13 |
|
21-Jan-2002 |
markus |
remove "rijndael-*", just use "aes-" since this how rijndael is called in the drafts; ok stevesk@
|
Revision tags: OPENBSD_2_9_BASE OPENBSD_3_0_BASE
|
#
1.12 |
|
05-Mar-2001 |
deraadt |
branches: 1.12.2; 1.12.4; switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok
|
#
1.11 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.10 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.9 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.8 |
|
13-Oct-2000 |
markus |
branches: 1.8.2; prefer no compression
|
#
1.7 |
|
13-Oct-2000 |
markus |
rijndael/aes support
|
#
1.6 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.5 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.4 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.3 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.2 |
|
08-May-2000 |
markus |
branches: 1.2.2; complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
|
#
1.1 |
|
04-Apr-2000 |
markus |
ssh2 client implementation, interops w/ ssh.com and lsh servers.
|
#
1.68 |
|
03-Oct-2020 |
djm |
prefer ed25519 signature algorithm variants to ECDSA; ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.67 |
|
24-Jan-2020 |
djm |
remove ssh-rsa (SHA1) from the list of allowed CA signature algorithms ok markus
|
#
1.66 |
|
23-Jan-2020 |
dtucker |
Remove unsupported algorithms from list of defaults at run time and remove ifdef and distinct settings for OPENSSL=no case.
This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@
|
#
1.65 |
|
22-Jan-2020 |
tedu |
remove diffie-hellman-group14-sha1 from default kex to see what happens. general mostly ok
|
#
1.64 |
|
16-Dec-2019 |
djm |
sort sk-* methods behind their plain key methods cousins for now
|
#
1.63 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.62 |
|
10-Dec-2019 |
djm |
add security key types to list of keys allowed to act as CAs; spotted by Ron Frederick
|
#
1.61 |
|
12-Nov-2019 |
markus |
enable ed25519 support; ok djm
|
#
1.60 |
|
01-Nov-2019 |
djm |
remove duplicate PUBKEY_DEFAULT_PK_ALG on !WITH_OPENSSL path
|
#
1.59 |
|
31-Oct-2019 |
djm |
Separate myproposal.h userauth pubkey types
U2F/FIDO keys are not supported for host authentication, so we need a separate list for user keys.
feedback & ok markus@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.58 |
|
23-Feb-2019 |
djm |
openssh-7.9 accidentally reused the server's algorithm lists in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method.
This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method.
Reported by nuxi AT vault24.org via bz#2697; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.57 |
|
12-Sep-2018 |
djm |
add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa.
ok markus@
|
#
1.56 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
07-May-2017 |
djm |
Don't offer CBC ciphers by default in the client. ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.54 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.53 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.52 |
|
05-Sep-2016 |
djm |
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH.
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway.
ok deraadt, markus, dtucker
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.51 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.50 |
|
09-Feb-2016 |
djm |
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@
|
#
1.49 |
|
05-Dec-2015 |
markus |
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@
|
#
1.48 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.47 |
|
10-Jul-2015 |
markus |
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
|
#
1.46 |
|
03-Jul-2015 |
djm |
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@
|
#
1.45 |
|
03-Jul-2015 |
djm |
delete support for legacy v00 certificates; "sure" markus@ dtucker@
|
#
1.44 |
|
27-May-2015 |
dtucker |
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
#
1.43 |
|
21-Apr-2015 |
jsg |
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again.
ok deraadt@
|
#
1.42 |
|
24-Mar-2015 |
djm |
promote chacha20-poly1305@openssh.com to be the default cipher; ok markus
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.41 |
|
11-Jul-2014 |
tedu |
by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
|
#
1.40 |
|
30-Apr-2014 |
naddy |
UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
|
#
1.39 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.38 |
|
27-Mar-2014 |
markus |
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
#
1.37 |
|
26-Mar-2014 |
deraadt |
The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy.
|
#
1.36 |
|
25-Mar-2014 |
markus |
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.35 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
#
1.34 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.33 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.32 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.31 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.30 |
|
04-Oct-2012 |
markus |
add umac128 variant; ok djm@ at n2k12
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.29 |
|
28-Jun-2012 |
dtucker |
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.28 |
|
02-Aug-2011 |
djm |
Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
feedback and ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.27 |
|
01-Sep-2010 |
djm |
prefer ECDH in a 256 bit curve field; prompted by naddy@
|
#
1.26 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.25 |
|
16-Apr-2010 |
djm |
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes:
move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.24 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.23 |
|
23-Jan-2009 |
djm |
prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC modes; ok markus@
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.22 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE
|
#
1.21 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
#
1.20 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.19 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.18 |
|
25-Jul-2005 |
markus |
branches: 1.18.2; 1.18.4; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.17 |
|
23-May-2005 |
djm |
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.16 |
|
13-Jun-2004 |
djm |
branches: 1.16.2; 1.16.4; implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.15 |
|
17-May-2003 |
markus |
branches: 1.15.2; 1.15.4; experimental support for aes-ctr modes from http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt ok djm@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.14 |
|
03-Apr-2002 |
markus |
branches: 1.14.4; 1.14.6; re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net
|
#
1.13 |
|
21-Jan-2002 |
markus |
remove "rijndael-*", just use "aes-" since this how rijndael is called in the drafts; ok stevesk@
|
Revision tags: OPENBSD_2_9_BASE OPENBSD_3_0_BASE
|
#
1.12 |
|
05-Mar-2001 |
deraadt |
branches: 1.12.2; 1.12.4; switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok
|
#
1.11 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.10 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.9 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.8 |
|
13-Oct-2000 |
markus |
branches: 1.8.2; prefer no compression
|
#
1.7 |
|
13-Oct-2000 |
markus |
rijndael/aes support
|
#
1.6 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.5 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.4 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.3 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.2 |
|
08-May-2000 |
markus |
branches: 1.2.2; complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
|
#
1.1 |
|
04-Apr-2000 |
markus |
ssh2 client implementation, interops w/ ssh.com and lsh servers.
|
#
1.67 |
|
24-Jan-2020 |
djm |
remove ssh-rsa (SHA1) from the list of allowed CA signature algorithms ok markus
|
#
1.66 |
|
23-Jan-2020 |
dtucker |
Remove unsupported algorithms from list of defaults at run time and remove ifdef and distinct settings for OPENSSL=no case.
This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@
|
#
1.65 |
|
22-Jan-2020 |
tedu |
remove diffie-hellman-group14-sha1 from default kex to see what happens. general mostly ok
|
#
1.64 |
|
16-Dec-2019 |
djm |
sort sk-* methods behind their plain key methods cousins for now
|
#
1.63 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.62 |
|
10-Dec-2019 |
djm |
add security key types to list of keys allowed to act as CAs; spotted by Ron Frederick
|
#
1.61 |
|
12-Nov-2019 |
markus |
enable ed25519 support; ok djm
|
#
1.60 |
|
01-Nov-2019 |
djm |
remove duplicate PUBKEY_DEFAULT_PK_ALG on !WITH_OPENSSL path
|
#
1.59 |
|
31-Oct-2019 |
djm |
Separate myproposal.h userauth pubkey types
U2F/FIDO keys are not supported for host authentication, so we need a separate list for user keys.
feedback & ok markus@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.58 |
|
23-Feb-2019 |
djm |
openssh-7.9 accidentally reused the server's algorithm lists in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method.
This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method.
Reported by nuxi AT vault24.org via bz#2697; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.57 |
|
12-Sep-2018 |
djm |
add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa.
ok markus@
|
#
1.56 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
07-May-2017 |
djm |
Don't offer CBC ciphers by default in the client. ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.54 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.53 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.52 |
|
05-Sep-2016 |
djm |
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH.
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway.
ok deraadt, markus, dtucker
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.51 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.50 |
|
09-Feb-2016 |
djm |
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@
|
#
1.49 |
|
05-Dec-2015 |
markus |
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@
|
#
1.48 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.47 |
|
10-Jul-2015 |
markus |
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
|
#
1.46 |
|
03-Jul-2015 |
djm |
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@
|
#
1.45 |
|
03-Jul-2015 |
djm |
delete support for legacy v00 certificates; "sure" markus@ dtucker@
|
#
1.44 |
|
27-May-2015 |
dtucker |
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
#
1.43 |
|
21-Apr-2015 |
jsg |
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again.
ok deraadt@
|
#
1.42 |
|
24-Mar-2015 |
djm |
promote chacha20-poly1305@openssh.com to be the default cipher; ok markus
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.41 |
|
11-Jul-2014 |
tedu |
by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
|
#
1.40 |
|
30-Apr-2014 |
naddy |
UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
|
#
1.39 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.38 |
|
27-Mar-2014 |
markus |
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
#
1.37 |
|
26-Mar-2014 |
deraadt |
The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy.
|
#
1.36 |
|
25-Mar-2014 |
markus |
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.35 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
#
1.34 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.33 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.32 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.31 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.30 |
|
04-Oct-2012 |
markus |
add umac128 variant; ok djm@ at n2k12
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.29 |
|
28-Jun-2012 |
dtucker |
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.28 |
|
02-Aug-2011 |
djm |
Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
feedback and ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.27 |
|
01-Sep-2010 |
djm |
prefer ECDH in a 256 bit curve field; prompted by naddy@
|
#
1.26 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.25 |
|
16-Apr-2010 |
djm |
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes:
move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.24 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.23 |
|
23-Jan-2009 |
djm |
prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC modes; ok markus@
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.22 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE
|
#
1.21 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
#
1.20 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.19 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.18 |
|
25-Jul-2005 |
markus |
branches: 1.18.2; 1.18.4; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.17 |
|
23-May-2005 |
djm |
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.16 |
|
13-Jun-2004 |
djm |
branches: 1.16.2; 1.16.4; implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.15 |
|
17-May-2003 |
markus |
branches: 1.15.2; 1.15.4; experimental support for aes-ctr modes from http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt ok djm@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.14 |
|
03-Apr-2002 |
markus |
branches: 1.14.4; 1.14.6; re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net
|
#
1.13 |
|
21-Jan-2002 |
markus |
remove "rijndael-*", just use "aes-" since this how rijndael is called in the drafts; ok stevesk@
|
Revision tags: OPENBSD_2_9_BASE OPENBSD_3_0_BASE
|
#
1.12 |
|
05-Mar-2001 |
deraadt |
branches: 1.12.2; 1.12.4; switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok
|
#
1.11 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.10 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.9 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.8 |
|
13-Oct-2000 |
markus |
branches: 1.8.2; prefer no compression
|
#
1.7 |
|
13-Oct-2000 |
markus |
rijndael/aes support
|
#
1.6 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.5 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.4 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.3 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.2 |
|
08-May-2000 |
markus |
branches: 1.2.2; complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
|
#
1.1 |
|
04-Apr-2000 |
markus |
ssh2 client implementation, interops w/ ssh.com and lsh servers.
|
#
1.66 |
|
23-Jan-2020 |
dtucker |
Remove unsupported algorithms from list of defaults at run time and remove ifdef and distinct settings for OPENSSL=no case.
This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@
|
#
1.65 |
|
22-Jan-2020 |
tedu |
remove diffie-hellman-group14-sha1 from default kex to see what happens. general mostly ok
|
#
1.64 |
|
16-Dec-2019 |
djm |
sort sk-* methods behind their plain key methods cousins for now
|
#
1.63 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.62 |
|
10-Dec-2019 |
djm |
add security key types to list of keys allowed to act as CAs; spotted by Ron Frederick
|
#
1.61 |
|
12-Nov-2019 |
markus |
enable ed25519 support; ok djm
|
#
1.60 |
|
01-Nov-2019 |
djm |
remove duplicate PUBKEY_DEFAULT_PK_ALG on !WITH_OPENSSL path
|
#
1.59 |
|
31-Oct-2019 |
djm |
Separate myproposal.h userauth pubkey types
U2F/FIDO keys are not supported for host authentication, so we need a separate list for user keys.
feedback & ok markus@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.58 |
|
23-Feb-2019 |
djm |
openssh-7.9 accidentally reused the server's algorithm lists in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method.
This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method.
Reported by nuxi AT vault24.org via bz#2697; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.57 |
|
12-Sep-2018 |
djm |
add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa.
ok markus@
|
#
1.56 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
07-May-2017 |
djm |
Don't offer CBC ciphers by default in the client. ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.54 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.53 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.52 |
|
05-Sep-2016 |
djm |
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH.
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway.
ok deraadt, markus, dtucker
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.51 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.50 |
|
09-Feb-2016 |
djm |
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@
|
#
1.49 |
|
05-Dec-2015 |
markus |
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@
|
#
1.48 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.47 |
|
10-Jul-2015 |
markus |
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
|
#
1.46 |
|
03-Jul-2015 |
djm |
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@
|
#
1.45 |
|
03-Jul-2015 |
djm |
delete support for legacy v00 certificates; "sure" markus@ dtucker@
|
#
1.44 |
|
27-May-2015 |
dtucker |
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
#
1.43 |
|
21-Apr-2015 |
jsg |
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again.
ok deraadt@
|
#
1.42 |
|
24-Mar-2015 |
djm |
promote chacha20-poly1305@openssh.com to be the default cipher; ok markus
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.41 |
|
11-Jul-2014 |
tedu |
by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
|
#
1.40 |
|
30-Apr-2014 |
naddy |
UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
|
#
1.39 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.38 |
|
27-Mar-2014 |
markus |
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
#
1.37 |
|
26-Mar-2014 |
deraadt |
The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy.
|
#
1.36 |
|
25-Mar-2014 |
markus |
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.35 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
#
1.34 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.33 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.32 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.31 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.30 |
|
04-Oct-2012 |
markus |
add umac128 variant; ok djm@ at n2k12
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.29 |
|
28-Jun-2012 |
dtucker |
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.28 |
|
02-Aug-2011 |
djm |
Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
feedback and ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.27 |
|
01-Sep-2010 |
djm |
prefer ECDH in a 256 bit curve field; prompted by naddy@
|
#
1.26 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.25 |
|
16-Apr-2010 |
djm |
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes:
move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.24 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.23 |
|
23-Jan-2009 |
djm |
prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC modes; ok markus@
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.22 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE
|
#
1.21 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
#
1.20 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.19 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.18 |
|
25-Jul-2005 |
markus |
branches: 1.18.2; 1.18.4; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.17 |
|
23-May-2005 |
djm |
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.16 |
|
13-Jun-2004 |
djm |
branches: 1.16.2; 1.16.4; implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.15 |
|
17-May-2003 |
markus |
branches: 1.15.2; 1.15.4; experimental support for aes-ctr modes from http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt ok djm@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.14 |
|
03-Apr-2002 |
markus |
branches: 1.14.4; 1.14.6; re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net
|
#
1.13 |
|
21-Jan-2002 |
markus |
remove "rijndael-*", just use "aes-" since this how rijndael is called in the drafts; ok stevesk@
|
Revision tags: OPENBSD_2_9_BASE OPENBSD_3_0_BASE
|
#
1.12 |
|
05-Mar-2001 |
deraadt |
branches: 1.12.2; 1.12.4; switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok
|
#
1.11 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.10 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.9 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.8 |
|
13-Oct-2000 |
markus |
branches: 1.8.2; prefer no compression
|
#
1.7 |
|
13-Oct-2000 |
markus |
rijndael/aes support
|
#
1.6 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.5 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.4 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.3 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.2 |
|
08-May-2000 |
markus |
branches: 1.2.2; complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
|
#
1.1 |
|
04-Apr-2000 |
markus |
ssh2 client implementation, interops w/ ssh.com and lsh servers.
|
#
1.65 |
|
22-Jan-2020 |
tedu |
remove diffie-hellman-group14-sha1 from default kex to see what happens. general mostly ok
|
#
1.64 |
|
16-Dec-2019 |
djm |
sort sk-* methods behind their plain key methods cousins for now
|
#
1.63 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.62 |
|
10-Dec-2019 |
djm |
add security key types to list of keys allowed to act as CAs; spotted by Ron Frederick
|
#
1.61 |
|
12-Nov-2019 |
markus |
enable ed25519 support; ok djm
|
#
1.60 |
|
01-Nov-2019 |
djm |
remove duplicate PUBKEY_DEFAULT_PK_ALG on !WITH_OPENSSL path
|
#
1.59 |
|
31-Oct-2019 |
djm |
Separate myproposal.h userauth pubkey types
U2F/FIDO keys are not supported for host authentication, so we need a separate list for user keys.
feedback & ok markus@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.58 |
|
23-Feb-2019 |
djm |
openssh-7.9 accidentally reused the server's algorithm lists in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method.
This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method.
Reported by nuxi AT vault24.org via bz#2697; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.57 |
|
12-Sep-2018 |
djm |
add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa.
ok markus@
|
#
1.56 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
07-May-2017 |
djm |
Don't offer CBC ciphers by default in the client. ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.54 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.53 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.52 |
|
05-Sep-2016 |
djm |
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH.
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway.
ok deraadt, markus, dtucker
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.51 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.50 |
|
09-Feb-2016 |
djm |
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@
|
#
1.49 |
|
05-Dec-2015 |
markus |
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@
|
#
1.48 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.47 |
|
10-Jul-2015 |
markus |
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
|
#
1.46 |
|
03-Jul-2015 |
djm |
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@
|
#
1.45 |
|
03-Jul-2015 |
djm |
delete support for legacy v00 certificates; "sure" markus@ dtucker@
|
#
1.44 |
|
27-May-2015 |
dtucker |
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
#
1.43 |
|
21-Apr-2015 |
jsg |
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again.
ok deraadt@
|
#
1.42 |
|
24-Mar-2015 |
djm |
promote chacha20-poly1305@openssh.com to be the default cipher; ok markus
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.41 |
|
11-Jul-2014 |
tedu |
by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
|
#
1.40 |
|
30-Apr-2014 |
naddy |
UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
|
#
1.39 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.38 |
|
27-Mar-2014 |
markus |
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
#
1.37 |
|
26-Mar-2014 |
deraadt |
The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy.
|
#
1.36 |
|
25-Mar-2014 |
markus |
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.35 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
#
1.34 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.33 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.32 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.31 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.30 |
|
04-Oct-2012 |
markus |
add umac128 variant; ok djm@ at n2k12
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.29 |
|
28-Jun-2012 |
dtucker |
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.28 |
|
02-Aug-2011 |
djm |
Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
feedback and ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.27 |
|
01-Sep-2010 |
djm |
prefer ECDH in a 256 bit curve field; prompted by naddy@
|
#
1.26 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.25 |
|
16-Apr-2010 |
djm |
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes:
move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.24 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.23 |
|
23-Jan-2009 |
djm |
prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC modes; ok markus@
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.22 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE
|
#
1.21 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
#
1.20 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.19 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.18 |
|
25-Jul-2005 |
markus |
branches: 1.18.2; 1.18.4; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.17 |
|
23-May-2005 |
djm |
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.16 |
|
13-Jun-2004 |
djm |
branches: 1.16.2; 1.16.4; implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.15 |
|
17-May-2003 |
markus |
branches: 1.15.2; 1.15.4; experimental support for aes-ctr modes from http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt ok djm@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.14 |
|
03-Apr-2002 |
markus |
branches: 1.14.4; 1.14.6; re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net
|
#
1.13 |
|
21-Jan-2002 |
markus |
remove "rijndael-*", just use "aes-" since this how rijndael is called in the drafts; ok stevesk@
|
Revision tags: OPENBSD_2_9_BASE OPENBSD_3_0_BASE
|
#
1.12 |
|
05-Mar-2001 |
deraadt |
branches: 1.12.2; 1.12.4; switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok
|
#
1.11 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.10 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.9 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.8 |
|
13-Oct-2000 |
markus |
branches: 1.8.2; prefer no compression
|
#
1.7 |
|
13-Oct-2000 |
markus |
rijndael/aes support
|
#
1.6 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.5 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.4 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.3 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.2 |
|
08-May-2000 |
markus |
branches: 1.2.2; complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
|
#
1.1 |
|
04-Apr-2000 |
markus |
ssh2 client implementation, interops w/ ssh.com and lsh servers.
|
#
1.64 |
|
16-Dec-2019 |
djm |
sort sk-* methods behind their plain key methods cousins for now
|
#
1.63 |
|
15-Dec-2019 |
djm |
allow security keys to act as host keys as well as user keys.
Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk.
ok markus@
|
#
1.62 |
|
10-Dec-2019 |
djm |
add security key types to list of keys allowed to act as CAs; spotted by Ron Frederick
|
#
1.61 |
|
12-Nov-2019 |
markus |
enable ed25519 support; ok djm
|
#
1.60 |
|
01-Nov-2019 |
djm |
remove duplicate PUBKEY_DEFAULT_PK_ALG on !WITH_OPENSSL path
|
#
1.59 |
|
31-Oct-2019 |
djm |
Separate myproposal.h userauth pubkey types
U2F/FIDO keys are not supported for host authentication, so we need a separate list for user keys.
feedback & ok markus@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.58 |
|
23-Feb-2019 |
djm |
openssh-7.9 accidentally reused the server's algorithm lists in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method.
This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method.
Reported by nuxi AT vault24.org via bz#2697; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.57 |
|
12-Sep-2018 |
djm |
add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa.
ok markus@
|
#
1.56 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
07-May-2017 |
djm |
Don't offer CBC ciphers by default in the client. ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.54 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.53 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.52 |
|
05-Sep-2016 |
djm |
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH.
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway.
ok deraadt, markus, dtucker
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.51 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.50 |
|
09-Feb-2016 |
djm |
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@
|
#
1.49 |
|
05-Dec-2015 |
markus |
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@
|
#
1.48 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.47 |
|
10-Jul-2015 |
markus |
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
|
#
1.46 |
|
03-Jul-2015 |
djm |
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@
|
#
1.45 |
|
03-Jul-2015 |
djm |
delete support for legacy v00 certificates; "sure" markus@ dtucker@
|
#
1.44 |
|
27-May-2015 |
dtucker |
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
#
1.43 |
|
21-Apr-2015 |
jsg |
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again.
ok deraadt@
|
#
1.42 |
|
24-Mar-2015 |
djm |
promote chacha20-poly1305@openssh.com to be the default cipher; ok markus
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.41 |
|
11-Jul-2014 |
tedu |
by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
|
#
1.40 |
|
30-Apr-2014 |
naddy |
UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
|
#
1.39 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.38 |
|
27-Mar-2014 |
markus |
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
#
1.37 |
|
26-Mar-2014 |
deraadt |
The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy.
|
#
1.36 |
|
25-Mar-2014 |
markus |
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.35 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
#
1.34 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.33 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.32 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.31 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.30 |
|
04-Oct-2012 |
markus |
add umac128 variant; ok djm@ at n2k12
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.29 |
|
28-Jun-2012 |
dtucker |
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.28 |
|
02-Aug-2011 |
djm |
Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
feedback and ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.27 |
|
01-Sep-2010 |
djm |
prefer ECDH in a 256 bit curve field; prompted by naddy@
|
#
1.26 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.25 |
|
16-Apr-2010 |
djm |
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes:
move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.24 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.23 |
|
23-Jan-2009 |
djm |
prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC modes; ok markus@
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.22 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE
|
#
1.21 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
#
1.20 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.19 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.18 |
|
25-Jul-2005 |
markus |
branches: 1.18.2; 1.18.4; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.17 |
|
23-May-2005 |
djm |
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.16 |
|
13-Jun-2004 |
djm |
branches: 1.16.2; 1.16.4; implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.15 |
|
17-May-2003 |
markus |
branches: 1.15.2; 1.15.4; experimental support for aes-ctr modes from http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt ok djm@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.14 |
|
03-Apr-2002 |
markus |
branches: 1.14.4; 1.14.6; re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net
|
#
1.13 |
|
21-Jan-2002 |
markus |
remove "rijndael-*", just use "aes-" since this how rijndael is called in the drafts; ok stevesk@
|
Revision tags: OPENBSD_2_9_BASE OPENBSD_3_0_BASE
|
#
1.12 |
|
05-Mar-2001 |
deraadt |
branches: 1.12.2; 1.12.4; switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok
|
#
1.11 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.10 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.9 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.8 |
|
13-Oct-2000 |
markus |
branches: 1.8.2; prefer no compression
|
#
1.7 |
|
13-Oct-2000 |
markus |
rijndael/aes support
|
#
1.6 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.5 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.4 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.3 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.2 |
|
08-May-2000 |
markus |
branches: 1.2.2; complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
|
#
1.1 |
|
04-Apr-2000 |
markus |
ssh2 client implementation, interops w/ ssh.com and lsh servers.
|
#
1.62 |
|
10-Dec-2019 |
djm |
add security key types to list of keys allowed to act as CAs; spotted by Ron Frederick
|
#
1.61 |
|
12-Nov-2019 |
markus |
enable ed25519 support; ok djm
|
#
1.60 |
|
01-Nov-2019 |
djm |
remove duplicate PUBKEY_DEFAULT_PK_ALG on !WITH_OPENSSL path
|
#
1.59 |
|
31-Oct-2019 |
djm |
Separate myproposal.h userauth pubkey types
U2F/FIDO keys are not supported for host authentication, so we need a separate list for user keys.
feedback & ok markus@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.58 |
|
23-Feb-2019 |
djm |
openssh-7.9 accidentally reused the server's algorithm lists in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method.
This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method.
Reported by nuxi AT vault24.org via bz#2697; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.57 |
|
12-Sep-2018 |
djm |
add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa.
ok markus@
|
#
1.56 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
07-May-2017 |
djm |
Don't offer CBC ciphers by default in the client. ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.54 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.53 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.52 |
|
05-Sep-2016 |
djm |
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH.
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway.
ok deraadt, markus, dtucker
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.51 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.50 |
|
09-Feb-2016 |
djm |
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@
|
#
1.49 |
|
05-Dec-2015 |
markus |
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@
|
#
1.48 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.47 |
|
10-Jul-2015 |
markus |
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
|
#
1.46 |
|
03-Jul-2015 |
djm |
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@
|
#
1.45 |
|
03-Jul-2015 |
djm |
delete support for legacy v00 certificates; "sure" markus@ dtucker@
|
#
1.44 |
|
27-May-2015 |
dtucker |
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
#
1.43 |
|
21-Apr-2015 |
jsg |
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again.
ok deraadt@
|
#
1.42 |
|
24-Mar-2015 |
djm |
promote chacha20-poly1305@openssh.com to be the default cipher; ok markus
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.41 |
|
11-Jul-2014 |
tedu |
by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
|
#
1.40 |
|
30-Apr-2014 |
naddy |
UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
|
#
1.39 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.38 |
|
27-Mar-2014 |
markus |
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
#
1.37 |
|
26-Mar-2014 |
deraadt |
The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy.
|
#
1.36 |
|
25-Mar-2014 |
markus |
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.35 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
#
1.34 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.33 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.32 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.31 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.30 |
|
04-Oct-2012 |
markus |
add umac128 variant; ok djm@ at n2k12
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.29 |
|
28-Jun-2012 |
dtucker |
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.28 |
|
02-Aug-2011 |
djm |
Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
feedback and ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.27 |
|
01-Sep-2010 |
djm |
prefer ECDH in a 256 bit curve field; prompted by naddy@
|
#
1.26 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.25 |
|
16-Apr-2010 |
djm |
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes:
move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.24 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.23 |
|
23-Jan-2009 |
djm |
prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC modes; ok markus@
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.22 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE
|
#
1.21 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
#
1.20 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.19 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.18 |
|
25-Jul-2005 |
markus |
branches: 1.18.2; 1.18.4; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.17 |
|
23-May-2005 |
djm |
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.16 |
|
13-Jun-2004 |
djm |
branches: 1.16.2; 1.16.4; implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.15 |
|
17-May-2003 |
markus |
branches: 1.15.2; 1.15.4; experimental support for aes-ctr modes from http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt ok djm@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.14 |
|
03-Apr-2002 |
markus |
branches: 1.14.4; 1.14.6; re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net
|
#
1.13 |
|
21-Jan-2002 |
markus |
remove "rijndael-*", just use "aes-" since this how rijndael is called in the drafts; ok stevesk@
|
Revision tags: OPENBSD_2_9_BASE OPENBSD_3_0_BASE
|
#
1.12 |
|
05-Mar-2001 |
deraadt |
branches: 1.12.2; 1.12.4; switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok
|
#
1.11 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.10 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.9 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.8 |
|
13-Oct-2000 |
markus |
branches: 1.8.2; prefer no compression
|
#
1.7 |
|
13-Oct-2000 |
markus |
rijndael/aes support
|
#
1.6 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.5 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.4 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.3 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.2 |
|
08-May-2000 |
markus |
branches: 1.2.2; complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
|
#
1.1 |
|
04-Apr-2000 |
markus |
ssh2 client implementation, interops w/ ssh.com and lsh servers.
|
#
1.61 |
|
12-Nov-2019 |
markus |
enable ed25519 support; ok djm
|
#
1.60 |
|
01-Nov-2019 |
djm |
remove duplicate PUBKEY_DEFAULT_PK_ALG on !WITH_OPENSSL path
|
#
1.59 |
|
31-Oct-2019 |
djm |
Separate myproposal.h userauth pubkey types
U2F/FIDO keys are not supported for host authentication, so we need a separate list for user keys.
feedback & ok markus@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.58 |
|
23-Feb-2019 |
djm |
openssh-7.9 accidentally reused the server's algorithm lists in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method.
This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method.
Reported by nuxi AT vault24.org via bz#2697; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.57 |
|
12-Sep-2018 |
djm |
add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa.
ok markus@
|
#
1.56 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
07-May-2017 |
djm |
Don't offer CBC ciphers by default in the client. ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.54 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.53 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.52 |
|
05-Sep-2016 |
djm |
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH.
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway.
ok deraadt, markus, dtucker
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.51 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.50 |
|
09-Feb-2016 |
djm |
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@
|
#
1.49 |
|
05-Dec-2015 |
markus |
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@
|
#
1.48 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.47 |
|
10-Jul-2015 |
markus |
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
|
#
1.46 |
|
03-Jul-2015 |
djm |
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@
|
#
1.45 |
|
03-Jul-2015 |
djm |
delete support for legacy v00 certificates; "sure" markus@ dtucker@
|
#
1.44 |
|
27-May-2015 |
dtucker |
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
#
1.43 |
|
21-Apr-2015 |
jsg |
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again.
ok deraadt@
|
#
1.42 |
|
24-Mar-2015 |
djm |
promote chacha20-poly1305@openssh.com to be the default cipher; ok markus
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.41 |
|
11-Jul-2014 |
tedu |
by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
|
#
1.40 |
|
30-Apr-2014 |
naddy |
UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
|
#
1.39 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.38 |
|
27-Mar-2014 |
markus |
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
#
1.37 |
|
26-Mar-2014 |
deraadt |
The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy.
|
#
1.36 |
|
25-Mar-2014 |
markus |
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.35 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
#
1.34 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.33 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.32 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.31 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.30 |
|
04-Oct-2012 |
markus |
add umac128 variant; ok djm@ at n2k12
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.29 |
|
28-Jun-2012 |
dtucker |
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.28 |
|
02-Aug-2011 |
djm |
Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
feedback and ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.27 |
|
01-Sep-2010 |
djm |
prefer ECDH in a 256 bit curve field; prompted by naddy@
|
#
1.26 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.25 |
|
16-Apr-2010 |
djm |
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes:
move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.24 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.23 |
|
23-Jan-2009 |
djm |
prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC modes; ok markus@
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.22 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE
|
#
1.21 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
#
1.20 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.19 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.18 |
|
25-Jul-2005 |
markus |
branches: 1.18.2; 1.18.4; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.17 |
|
23-May-2005 |
djm |
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.16 |
|
13-Jun-2004 |
djm |
branches: 1.16.2; 1.16.4; implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.15 |
|
17-May-2003 |
markus |
branches: 1.15.2; 1.15.4; experimental support for aes-ctr modes from http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt ok djm@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.14 |
|
03-Apr-2002 |
markus |
branches: 1.14.4; 1.14.6; re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net
|
#
1.13 |
|
21-Jan-2002 |
markus |
remove "rijndael-*", just use "aes-" since this how rijndael is called in the drafts; ok stevesk@
|
Revision tags: OPENBSD_2_9_BASE OPENBSD_3_0_BASE
|
#
1.12 |
|
05-Mar-2001 |
deraadt |
branches: 1.12.2; 1.12.4; switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok
|
#
1.11 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.10 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.9 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.8 |
|
13-Oct-2000 |
markus |
branches: 1.8.2; prefer no compression
|
#
1.7 |
|
13-Oct-2000 |
markus |
rijndael/aes support
|
#
1.6 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.5 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.4 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.3 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.2 |
|
08-May-2000 |
markus |
branches: 1.2.2; complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
|
#
1.1 |
|
04-Apr-2000 |
markus |
ssh2 client implementation, interops w/ ssh.com and lsh servers.
|
#
1.60 |
|
01-Nov-2019 |
djm |
remove duplicate PUBKEY_DEFAULT_PK_ALG on !WITH_OPENSSL path
|
#
1.59 |
|
31-Oct-2019 |
djm |
Separate myproposal.h userauth pubkey types
U2F/FIDO keys are not supported for host authentication, so we need a separate list for user keys.
feedback & ok markus@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.58 |
|
23-Feb-2019 |
djm |
openssh-7.9 accidentally reused the server's algorithm lists in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method.
This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method.
Reported by nuxi AT vault24.org via bz#2697; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.57 |
|
12-Sep-2018 |
djm |
add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa.
ok markus@
|
#
1.56 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
07-May-2017 |
djm |
Don't offer CBC ciphers by default in the client. ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.54 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.53 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.52 |
|
05-Sep-2016 |
djm |
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH.
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway.
ok deraadt, markus, dtucker
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.51 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.50 |
|
09-Feb-2016 |
djm |
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@
|
#
1.49 |
|
05-Dec-2015 |
markus |
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@
|
#
1.48 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.47 |
|
10-Jul-2015 |
markus |
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
|
#
1.46 |
|
03-Jul-2015 |
djm |
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@
|
#
1.45 |
|
03-Jul-2015 |
djm |
delete support for legacy v00 certificates; "sure" markus@ dtucker@
|
#
1.44 |
|
27-May-2015 |
dtucker |
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
#
1.43 |
|
21-Apr-2015 |
jsg |
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again.
ok deraadt@
|
#
1.42 |
|
24-Mar-2015 |
djm |
promote chacha20-poly1305@openssh.com to be the default cipher; ok markus
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.41 |
|
11-Jul-2014 |
tedu |
by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
|
#
1.40 |
|
30-Apr-2014 |
naddy |
UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
|
#
1.39 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.38 |
|
27-Mar-2014 |
markus |
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
#
1.37 |
|
26-Mar-2014 |
deraadt |
The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy.
|
#
1.36 |
|
25-Mar-2014 |
markus |
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.35 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
#
1.34 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.33 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.32 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.31 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.30 |
|
04-Oct-2012 |
markus |
add umac128 variant; ok djm@ at n2k12
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.29 |
|
28-Jun-2012 |
dtucker |
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.28 |
|
02-Aug-2011 |
djm |
Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
feedback and ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.27 |
|
01-Sep-2010 |
djm |
prefer ECDH in a 256 bit curve field; prompted by naddy@
|
#
1.26 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.25 |
|
16-Apr-2010 |
djm |
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes:
move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.24 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.23 |
|
23-Jan-2009 |
djm |
prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC modes; ok markus@
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.22 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE
|
#
1.21 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
#
1.20 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.19 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.18 |
|
25-Jul-2005 |
markus |
branches: 1.18.2; 1.18.4; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.17 |
|
23-May-2005 |
djm |
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.16 |
|
13-Jun-2004 |
djm |
branches: 1.16.2; 1.16.4; implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.15 |
|
17-May-2003 |
markus |
branches: 1.15.2; 1.15.4; experimental support for aes-ctr modes from http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt ok djm@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.14 |
|
03-Apr-2002 |
markus |
branches: 1.14.4; 1.14.6; re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net
|
#
1.13 |
|
21-Jan-2002 |
markus |
remove "rijndael-*", just use "aes-" since this how rijndael is called in the drafts; ok stevesk@
|
Revision tags: OPENBSD_2_9_BASE OPENBSD_3_0_BASE
|
#
1.12 |
|
05-Mar-2001 |
deraadt |
branches: 1.12.2; 1.12.4; switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok
|
#
1.11 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.10 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.9 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.8 |
|
13-Oct-2000 |
markus |
branches: 1.8.2; prefer no compression
|
#
1.7 |
|
13-Oct-2000 |
markus |
rijndael/aes support
|
#
1.6 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.5 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.4 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.3 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.2 |
|
08-May-2000 |
markus |
branches: 1.2.2; complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
|
#
1.1 |
|
04-Apr-2000 |
markus |
ssh2 client implementation, interops w/ ssh.com and lsh servers.
|
#
1.58 |
|
23-Feb-2019 |
djm |
openssh-7.9 accidentally reused the server's algorithm lists in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method.
This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method.
Reported by nuxi AT vault24.org via bz#2697; ok dtucker
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.57 |
|
12-Sep-2018 |
djm |
add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa.
ok markus@
|
#
1.56 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
07-May-2017 |
djm |
Don't offer CBC ciphers by default in the client. ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.54 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.53 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.52 |
|
05-Sep-2016 |
djm |
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH.
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway.
ok deraadt, markus, dtucker
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.51 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.50 |
|
09-Feb-2016 |
djm |
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@
|
#
1.49 |
|
05-Dec-2015 |
markus |
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@
|
#
1.48 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.47 |
|
10-Jul-2015 |
markus |
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
|
#
1.46 |
|
03-Jul-2015 |
djm |
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@
|
#
1.45 |
|
03-Jul-2015 |
djm |
delete support for legacy v00 certificates; "sure" markus@ dtucker@
|
#
1.44 |
|
27-May-2015 |
dtucker |
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
#
1.43 |
|
21-Apr-2015 |
jsg |
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again.
ok deraadt@
|
#
1.42 |
|
24-Mar-2015 |
djm |
promote chacha20-poly1305@openssh.com to be the default cipher; ok markus
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.41 |
|
11-Jul-2014 |
tedu |
by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
|
#
1.40 |
|
30-Apr-2014 |
naddy |
UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
|
#
1.39 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.38 |
|
27-Mar-2014 |
markus |
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
#
1.37 |
|
26-Mar-2014 |
deraadt |
The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy.
|
#
1.36 |
|
25-Mar-2014 |
markus |
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.35 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
#
1.34 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.33 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.32 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.31 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.30 |
|
04-Oct-2012 |
markus |
add umac128 variant; ok djm@ at n2k12
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.29 |
|
28-Jun-2012 |
dtucker |
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.28 |
|
02-Aug-2011 |
djm |
Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
feedback and ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.27 |
|
01-Sep-2010 |
djm |
prefer ECDH in a 256 bit curve field; prompted by naddy@
|
#
1.26 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.25 |
|
16-Apr-2010 |
djm |
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes:
move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.24 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.23 |
|
23-Jan-2009 |
djm |
prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC modes; ok markus@
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.22 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE
|
#
1.21 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
#
1.20 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.19 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.18 |
|
25-Jul-2005 |
markus |
branches: 1.18.2; 1.18.4; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.17 |
|
23-May-2005 |
djm |
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.16 |
|
13-Jun-2004 |
djm |
branches: 1.16.2; 1.16.4; implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.15 |
|
17-May-2003 |
markus |
branches: 1.15.2; 1.15.4; experimental support for aes-ctr modes from http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt ok djm@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.14 |
|
03-Apr-2002 |
markus |
branches: 1.14.4; 1.14.6; re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net
|
#
1.13 |
|
21-Jan-2002 |
markus |
remove "rijndael-*", just use "aes-" since this how rijndael is called in the drafts; ok stevesk@
|
Revision tags: OPENBSD_2_9_BASE OPENBSD_3_0_BASE
|
#
1.12 |
|
05-Mar-2001 |
deraadt |
branches: 1.12.2; 1.12.4; switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok
|
#
1.11 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.10 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.9 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.8 |
|
13-Oct-2000 |
markus |
branches: 1.8.2; prefer no compression
|
#
1.7 |
|
13-Oct-2000 |
markus |
rijndael/aes support
|
#
1.6 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.5 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.4 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.3 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.2 |
|
08-May-2000 |
markus |
branches: 1.2.2; complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
|
#
1.1 |
|
04-Apr-2000 |
markus |
ssh2 client implementation, interops w/ ssh.com and lsh servers.
|
#
1.57 |
|
12-Sep-2018 |
djm |
add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa.
ok markus@
|
#
1.56 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
07-May-2017 |
djm |
Don't offer CBC ciphers by default in the client. ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.54 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.53 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.52 |
|
05-Sep-2016 |
djm |
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH.
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway.
ok deraadt, markus, dtucker
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.51 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.50 |
|
09-Feb-2016 |
djm |
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@
|
#
1.49 |
|
05-Dec-2015 |
markus |
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@
|
#
1.48 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.47 |
|
10-Jul-2015 |
markus |
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
|
#
1.46 |
|
03-Jul-2015 |
djm |
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@
|
#
1.45 |
|
03-Jul-2015 |
djm |
delete support for legacy v00 certificates; "sure" markus@ dtucker@
|
#
1.44 |
|
27-May-2015 |
dtucker |
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
#
1.43 |
|
21-Apr-2015 |
jsg |
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again.
ok deraadt@
|
#
1.42 |
|
24-Mar-2015 |
djm |
promote chacha20-poly1305@openssh.com to be the default cipher; ok markus
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.41 |
|
11-Jul-2014 |
tedu |
by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
|
#
1.40 |
|
30-Apr-2014 |
naddy |
UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
|
#
1.39 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.38 |
|
27-Mar-2014 |
markus |
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
#
1.37 |
|
26-Mar-2014 |
deraadt |
The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy.
|
#
1.36 |
|
25-Mar-2014 |
markus |
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.35 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
#
1.34 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.33 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.32 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.31 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.30 |
|
04-Oct-2012 |
markus |
add umac128 variant; ok djm@ at n2k12
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.29 |
|
28-Jun-2012 |
dtucker |
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.28 |
|
02-Aug-2011 |
djm |
Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
feedback and ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.27 |
|
01-Sep-2010 |
djm |
prefer ECDH in a 256 bit curve field; prompted by naddy@
|
#
1.26 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.25 |
|
16-Apr-2010 |
djm |
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes:
move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.24 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.23 |
|
23-Jan-2009 |
djm |
prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC modes; ok markus@
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.22 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE
|
#
1.21 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
#
1.20 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.19 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.18 |
|
25-Jul-2005 |
markus |
branches: 1.18.2; 1.18.4; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.17 |
|
23-May-2005 |
djm |
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.16 |
|
13-Jun-2004 |
djm |
branches: 1.16.2; 1.16.4; implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.15 |
|
17-May-2003 |
markus |
branches: 1.15.2; 1.15.4; experimental support for aes-ctr modes from http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt ok djm@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.14 |
|
03-Apr-2002 |
markus |
branches: 1.14.4; 1.14.6; re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net
|
#
1.13 |
|
21-Jan-2002 |
markus |
remove "rijndael-*", just use "aes-" since this how rijndael is called in the drafts; ok stevesk@
|
Revision tags: OPENBSD_2_9_BASE OPENBSD_3_0_BASE
|
#
1.12 |
|
05-Mar-2001 |
deraadt |
branches: 1.12.2; 1.12.4; switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok
|
#
1.11 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.10 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.9 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.8 |
|
13-Oct-2000 |
markus |
branches: 1.8.2; prefer no compression
|
#
1.7 |
|
13-Oct-2000 |
markus |
rijndael/aes support
|
#
1.6 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.5 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.4 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.3 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.2 |
|
08-May-2000 |
markus |
branches: 1.2.2; complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
|
#
1.1 |
|
04-Apr-2000 |
markus |
ssh2 client implementation, interops w/ ssh.com and lsh servers.
|
#
1.56 |
|
03-Jul-2018 |
djm |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys.
feedback and ok markus@
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
07-May-2017 |
djm |
Don't offer CBC ciphers by default in the client. ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.54 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.53 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.52 |
|
05-Sep-2016 |
djm |
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH.
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway.
ok deraadt, markus, dtucker
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.51 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.50 |
|
09-Feb-2016 |
djm |
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@
|
#
1.49 |
|
05-Dec-2015 |
markus |
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@
|
#
1.48 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.47 |
|
10-Jul-2015 |
markus |
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
|
#
1.46 |
|
03-Jul-2015 |
djm |
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@
|
#
1.45 |
|
03-Jul-2015 |
djm |
delete support for legacy v00 certificates; "sure" markus@ dtucker@
|
#
1.44 |
|
27-May-2015 |
dtucker |
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
#
1.43 |
|
21-Apr-2015 |
jsg |
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again.
ok deraadt@
|
#
1.42 |
|
24-Mar-2015 |
djm |
promote chacha20-poly1305@openssh.com to be the default cipher; ok markus
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.41 |
|
11-Jul-2014 |
tedu |
by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
|
#
1.40 |
|
30-Apr-2014 |
naddy |
UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
|
#
1.39 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.38 |
|
27-Mar-2014 |
markus |
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
#
1.37 |
|
26-Mar-2014 |
deraadt |
The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy.
|
#
1.36 |
|
25-Mar-2014 |
markus |
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.35 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
#
1.34 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.33 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.32 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.31 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.30 |
|
04-Oct-2012 |
markus |
add umac128 variant; ok djm@ at n2k12
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.29 |
|
28-Jun-2012 |
dtucker |
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.28 |
|
02-Aug-2011 |
djm |
Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
feedback and ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.27 |
|
01-Sep-2010 |
djm |
prefer ECDH in a 256 bit curve field; prompted by naddy@
|
#
1.26 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.25 |
|
16-Apr-2010 |
djm |
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes:
move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.24 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.23 |
|
23-Jan-2009 |
djm |
prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC modes; ok markus@
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.22 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE
|
#
1.21 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
#
1.20 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.19 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.18 |
|
25-Jul-2005 |
markus |
branches: 1.18.2; 1.18.4; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.17 |
|
23-May-2005 |
djm |
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.16 |
|
13-Jun-2004 |
djm |
branches: 1.16.2; 1.16.4; implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.15 |
|
17-May-2003 |
markus |
branches: 1.15.2; 1.15.4; experimental support for aes-ctr modes from http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt ok djm@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.14 |
|
03-Apr-2002 |
markus |
branches: 1.14.4; 1.14.6; re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net
|
#
1.13 |
|
21-Jan-2002 |
markus |
remove "rijndael-*", just use "aes-" since this how rijndael is called in the drafts; ok stevesk@
|
Revision tags: OPENBSD_2_9_BASE OPENBSD_3_0_BASE
|
#
1.12 |
|
05-Mar-2001 |
deraadt |
branches: 1.12.2; 1.12.4; switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok
|
#
1.11 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.10 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.9 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.8 |
|
13-Oct-2000 |
markus |
branches: 1.8.2; prefer no compression
|
#
1.7 |
|
13-Oct-2000 |
markus |
rijndael/aes support
|
#
1.6 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.5 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.4 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.3 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.2 |
|
08-May-2000 |
markus |
branches: 1.2.2; complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
|
#
1.1 |
|
04-Apr-2000 |
markus |
ssh2 client implementation, interops w/ ssh.com and lsh servers.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.55 |
|
07-May-2017 |
djm |
Don't offer CBC ciphers by default in the client. ok markus@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.54 |
|
28-Sep-2016 |
djm |
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd for >10 years.
|
#
1.53 |
|
22-Sep-2016 |
djm |
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org)
|
#
1.52 |
|
05-Sep-2016 |
djm |
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH.
As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway.
ok deraadt, markus, dtucker
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.51 |
|
02-May-2016 |
djm |
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker ok markus@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.50 |
|
09-Feb-2016 |
djm |
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@
|
#
1.49 |
|
05-Dec-2015 |
markus |
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@
|
#
1.48 |
|
04-Dec-2015 |
markus |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.47 |
|
10-Jul-2015 |
markus |
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
|
#
1.46 |
|
03-Jul-2015 |
djm |
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@
|
#
1.45 |
|
03-Jul-2015 |
djm |
delete support for legacy v00 certificates; "sure" markus@ dtucker@
|
#
1.44 |
|
27-May-2015 |
dtucker |
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
|
#
1.43 |
|
21-Apr-2015 |
jsg |
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again.
ok deraadt@
|
#
1.42 |
|
24-Mar-2015 |
djm |
promote chacha20-poly1305@openssh.com to be the default cipher; ok markus
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.41 |
|
11-Jul-2014 |
tedu |
by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
|
#
1.40 |
|
30-Apr-2014 |
naddy |
UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
|
#
1.39 |
|
29-Apr-2014 |
markus |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
1.38 |
|
27-Mar-2014 |
markus |
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
#
1.37 |
|
26-Mar-2014 |
deraadt |
The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy.
|
#
1.36 |
|
25-Mar-2014 |
markus |
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.35 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
#
1.34 |
|
21-Nov-2013 |
djm |
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
|
#
1.33 |
|
02-Nov-2013 |
markus |
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.32 |
|
08-Jan-2013 |
markus |
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
|
#
1.31 |
|
11-Dec-2012 |
markus |
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
|
#
1.30 |
|
04-Oct-2012 |
markus |
add umac128 variant; ok djm@ at n2k12
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.29 |
|
28-Jun-2012 |
dtucker |
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.28 |
|
02-Aug-2011 |
djm |
Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
feedback and ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.27 |
|
01-Sep-2010 |
djm |
prefer ECDH in a 256 bit curve field; prompted by naddy@
|
#
1.26 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.25 |
|
16-Apr-2010 |
djm |
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes:
move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.24 |
|
26-Feb-2010 |
djm |
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file PROTOCOL.certkeys
feedback and ok markus@
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.23 |
|
23-Jan-2009 |
djm |
prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC modes; ok markus@
|
Revision tags: OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.22 |
|
07-Jun-2007 |
pvalchev |
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE
|
#
1.21 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
#
1.20 |
|
19-Mar-2006 |
deraadt |
spacing
|
#
1.19 |
|
07-Mar-2006 |
djm |
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.18 |
|
25-Jul-2005 |
markus |
branches: 1.18.2; 1.18.4; add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd.
this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
|
#
1.17 |
|
23-May-2005 |
djm |
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.16 |
|
13-Jun-2004 |
djm |
branches: 1.16.2; 1.16.4; implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE
|
#
1.15 |
|
17-May-2003 |
markus |
branches: 1.15.2; 1.15.4; experimental support for aes-ctr modes from http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt ok djm@
|
Revision tags: OPENBSD_3_1_BASE OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.14 |
|
03-Apr-2002 |
markus |
branches: 1.14.4; 1.14.6; re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net
|
#
1.13 |
|
21-Jan-2002 |
markus |
remove "rijndael-*", just use "aes-" since this how rijndael is called in the drafts; ok stevesk@
|
Revision tags: OPENBSD_2_9_BASE OPENBSD_3_0_BASE
|
#
1.12 |
|
05-Mar-2001 |
deraadt |
branches: 1.12.2; 1.12.4; switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok
|
#
1.11 |
|
11-Feb-2001 |
markus |
1) clean up the MAC support for SSH-2 2) allow you to specify the MAC with 'ssh -m' 3) or the 'MACs' keyword in ssh(d)_config 4) add hmac-{md5,sha1}-96 ok stevesk@, provos@
|
#
1.10 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.9 |
|
12-Nov-2000 |
markus |
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys.
the option DSAAuthentication is replaced by PubkeyAuthetication.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.8 |
|
13-Oct-2000 |
markus |
branches: 1.8.2; prefer no compression
|
#
1.7 |
|
13-Oct-2000 |
markus |
rijndael/aes support
|
#
1.6 |
|
11-Oct-2000 |
markus |
new cipher framework
|
#
1.5 |
|
11-Oct-2000 |
provos |
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
|
#
1.4 |
|
07-Sep-2000 |
deraadt |
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
|
#
1.3 |
|
25-May-2000 |
markus |
split kexinit/kexdh, factor out common code
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.2 |
|
08-May-2000 |
markus |
branches: 1.2.2; complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)
|
#
1.1 |
|
04-Apr-2000 |
markus |
ssh2 client implementation, interops w/ ssh.com and lsh servers.
|