#
1.32 |
|
17-May-2024 |
djm |
Start the process of splitting sshd into separate binaries. This step splits sshd into a listener and a session binary. More splits are planned.
After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs.
This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary.
feedback/ok markus@ deraadt@
NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out.
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE OPENBSD_7_1_BASE OPENBSD_7_2_BASE OPENBSD_7_3_BASE OPENBSD_7_4_BASE OPENBSD_7_5_BASE
|
#
1.31 |
|
12-Nov-2019 |
markus |
enable ed25519 support; ok djm
|
#
1.30 |
|
31-Oct-2019 |
djm |
ssh-agent support for U2F/FIDO keys
feedback & ok markus@
|
#
1.29 |
|
31-Oct-2019 |
djm |
Initial infrastructure for U2F/FIDO support
Key library support: including allocation, marshalling public/private keys and certificates, signature validation.
feedback & ok markus@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.28 |
|
23-Feb-2018 |
markus |
Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
05-May-2017 |
naddy |
more simplification and removal of SSHv1-related code; ok djm@
|
#
1.26 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
Revision tags: OPENBSD_6_0_BASE OPENBSD_6_1_BASE
|
#
1.25 |
|
31-Mar-2016 |
dtucker |
Remove fallback from moduli to "primes" file that was deprecated in 2001 and fix log messages referring to primes file. Based on patch from xnox at ubuntu.com via bz#2559. "kill it" deraadt@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.24 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.23 |
|
05-Apr-2013 |
djm |
use the existing _PATH_SSH_USER_RC define to construct the other pathnames; bz#2077, ok dtucker@ (no binary change)
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.22 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.21 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.20 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.19 |
|
11-Feb-2010 |
djm |
correct comment
|
#
1.18 |
|
08-Feb-2010 |
markus |
replace our obsolete smartcard code with PKCS#11. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.17 |
|
29-Dec-2008 |
stevesk |
no need to escape single quotes in comments
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.16 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.15 |
|
11-Jul-2004 |
deraadt |
branches: 1.15.6; 1.15.8; spaces
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.14 |
|
30-Jan-2004 |
markus |
branches: 1.14.2; support for password change; ok dtucker@ (set password-dead=1w in login.conf to use this).
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE OPENBSD_3_4_BASE
|
#
1.13 |
|
23-May-2002 |
markus |
branches: 1.13.4; 1.13.6; add /usr/libexec/ssh-keysign: a setuid helper program for hostbased authentication in protocol v2 (needs to access the hostkeys).
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.12 |
|
19-Mar-2002 |
stevesk |
branches: 1.12.2; _PATH_PRIVSEP_CHROOT_DIR; ok provos@
|
#
1.11 |
|
09-Feb-2002 |
deraadt |
move ssh config files to /etc/ssh
|
#
1.10 |
|
08-Dec-2001 |
stevesk |
use only one path to X11 UNIX domain socket vs. an array of paths to try. report from djast@cs.toronto.edu. ok markus@
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.9 |
|
23-Jun-2001 |
markus |
branches: 1.9.2; get rid of known_hosts2, use it for hostkey lookup, but do not modify.
|
#
1.8 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.7 |
|
22-Jun-2001 |
provos |
use /etc/moduli instead of /etc/primes, okay markus@
|
#
1.6 |
|
08-Jun-2001 |
markus |
move the path for xauth to pathnames.h
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
12-Apr-2001 |
markus |
branches: 1.5.2; implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.4 |
|
08-Feb-2001 |
stevesk |
branches: 1.4.2; 1.4.4; _PATH_LS; ok markus@
|
#
1.3 |
|
08-Feb-2001 |
markus |
allow sftp over ssh protocol 1; ok djm@
|
#
1.2 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.1 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.31 |
|
12-Nov-2019 |
markus |
enable ed25519 support; ok djm
|
#
1.30 |
|
31-Oct-2019 |
djm |
ssh-agent support for U2F/FIDO keys
feedback & ok markus@
|
#
1.29 |
|
31-Oct-2019 |
djm |
Initial infrastructure for U2F/FIDO support
Key library support: including allocation, marshalling public/private keys and certificates, signature validation.
feedback & ok markus@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.28 |
|
23-Feb-2018 |
markus |
Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
05-May-2017 |
naddy |
more simplification and removal of SSHv1-related code; ok djm@
|
#
1.26 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
Revision tags: OPENBSD_6_0_BASE OPENBSD_6_1_BASE
|
#
1.25 |
|
31-Mar-2016 |
dtucker |
Remove fallback from moduli to "primes" file that was deprecated in 2001 and fix log messages referring to primes file. Based on patch from xnox at ubuntu.com via bz#2559. "kill it" deraadt@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.24 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.23 |
|
05-Apr-2013 |
djm |
use the existing _PATH_SSH_USER_RC define to construct the other pathnames; bz#2077, ok dtucker@ (no binary change)
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.22 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.21 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.20 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.19 |
|
11-Feb-2010 |
djm |
correct comment
|
#
1.18 |
|
08-Feb-2010 |
markus |
replace our obsolete smartcard code with PKCS#11. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.17 |
|
29-Dec-2008 |
stevesk |
no need to escape single quotes in comments
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.16 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.15 |
|
11-Jul-2004 |
deraadt |
branches: 1.15.6; 1.15.8; spaces
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.14 |
|
30-Jan-2004 |
markus |
branches: 1.14.2; support for password change; ok dtucker@ (set password-dead=1w in login.conf to use this).
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE OPENBSD_3_4_BASE
|
#
1.13 |
|
23-May-2002 |
markus |
branches: 1.13.4; 1.13.6; add /usr/libexec/ssh-keysign: a setuid helper program for hostbased authentication in protocol v2 (needs to access the hostkeys).
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.12 |
|
19-Mar-2002 |
stevesk |
branches: 1.12.2; _PATH_PRIVSEP_CHROOT_DIR; ok provos@
|
#
1.11 |
|
09-Feb-2002 |
deraadt |
move ssh config files to /etc/ssh
|
#
1.10 |
|
08-Dec-2001 |
stevesk |
use only one path to X11 UNIX domain socket vs. an array of paths to try. report from djast@cs.toronto.edu. ok markus@
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.9 |
|
23-Jun-2001 |
markus |
branches: 1.9.2; get rid of known_hosts2, use it for hostkey lookup, but do not modify.
|
#
1.8 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.7 |
|
22-Jun-2001 |
provos |
use /etc/moduli instead of /etc/primes, okay markus@
|
#
1.6 |
|
08-Jun-2001 |
markus |
move the path for xauth to pathnames.h
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
12-Apr-2001 |
markus |
branches: 1.5.2; implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.4 |
|
08-Feb-2001 |
stevesk |
branches: 1.4.2; 1.4.4; _PATH_LS; ok markus@
|
#
1.3 |
|
08-Feb-2001 |
markus |
allow sftp over ssh protocol 1; ok djm@
|
#
1.2 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.1 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.30 |
|
31-Oct-2019 |
djm |
ssh-agent support for U2F/FIDO keys
feedback & ok markus@
|
#
1.29 |
|
31-Oct-2019 |
djm |
Initial infrastructure for U2F/FIDO support
Key library support: including allocation, marshalling public/private keys and certificates, signature validation.
feedback & ok markus@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.28 |
|
23-Feb-2018 |
markus |
Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
05-May-2017 |
naddy |
more simplification and removal of SSHv1-related code; ok djm@
|
#
1.26 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
Revision tags: OPENBSD_6_0_BASE OPENBSD_6_1_BASE
|
#
1.25 |
|
31-Mar-2016 |
dtucker |
Remove fallback from moduli to "primes" file that was deprecated in 2001 and fix log messages referring to primes file. Based on patch from xnox at ubuntu.com via bz#2559. "kill it" deraadt@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.24 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.23 |
|
05-Apr-2013 |
djm |
use the existing _PATH_SSH_USER_RC define to construct the other pathnames; bz#2077, ok dtucker@ (no binary change)
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.22 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.21 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.20 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.19 |
|
11-Feb-2010 |
djm |
correct comment
|
#
1.18 |
|
08-Feb-2010 |
markus |
replace our obsolete smartcard code with PKCS#11. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.17 |
|
29-Dec-2008 |
stevesk |
no need to escape single quotes in comments
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.16 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.15 |
|
11-Jul-2004 |
deraadt |
branches: 1.15.6; 1.15.8; spaces
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.14 |
|
30-Jan-2004 |
markus |
branches: 1.14.2; support for password change; ok dtucker@ (set password-dead=1w in login.conf to use this).
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE OPENBSD_3_4_BASE
|
#
1.13 |
|
23-May-2002 |
markus |
branches: 1.13.4; 1.13.6; add /usr/libexec/ssh-keysign: a setuid helper program for hostbased authentication in protocol v2 (needs to access the hostkeys).
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.12 |
|
19-Mar-2002 |
stevesk |
branches: 1.12.2; _PATH_PRIVSEP_CHROOT_DIR; ok provos@
|
#
1.11 |
|
09-Feb-2002 |
deraadt |
move ssh config files to /etc/ssh
|
#
1.10 |
|
08-Dec-2001 |
stevesk |
use only one path to X11 UNIX domain socket vs. an array of paths to try. report from djast@cs.toronto.edu. ok markus@
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.9 |
|
23-Jun-2001 |
markus |
branches: 1.9.2; get rid of known_hosts2, use it for hostkey lookup, but do not modify.
|
#
1.8 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.7 |
|
22-Jun-2001 |
provos |
use /etc/moduli instead of /etc/primes, okay markus@
|
#
1.6 |
|
08-Jun-2001 |
markus |
move the path for xauth to pathnames.h
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
12-Apr-2001 |
markus |
branches: 1.5.2; implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.4 |
|
08-Feb-2001 |
stevesk |
branches: 1.4.2; 1.4.4; _PATH_LS; ok markus@
|
#
1.3 |
|
08-Feb-2001 |
markus |
allow sftp over ssh protocol 1; ok djm@
|
#
1.2 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.1 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
#
1.28 |
|
23-Feb-2018 |
markus |
Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
05-May-2017 |
naddy |
more simplification and removal of SSHv1-related code; ok djm@
|
#
1.26 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
Revision tags: OPENBSD_6_0_BASE OPENBSD_6_1_BASE
|
#
1.25 |
|
31-Mar-2016 |
dtucker |
Remove fallback from moduli to "primes" file that was deprecated in 2001 and fix log messages referring to primes file. Based on patch from xnox at ubuntu.com via bz#2559. "kill it" deraadt@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.24 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.23 |
|
05-Apr-2013 |
djm |
use the existing _PATH_SSH_USER_RC define to construct the other pathnames; bz#2077, ok dtucker@ (no binary change)
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.22 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.21 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.20 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.19 |
|
11-Feb-2010 |
djm |
correct comment
|
#
1.18 |
|
08-Feb-2010 |
markus |
replace our obsolete smartcard code with PKCS#11. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.17 |
|
29-Dec-2008 |
stevesk |
no need to escape single quotes in comments
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.16 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.15 |
|
11-Jul-2004 |
deraadt |
branches: 1.15.6; 1.15.8; spaces
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.14 |
|
30-Jan-2004 |
markus |
branches: 1.14.2; support for password change; ok dtucker@ (set password-dead=1w in login.conf to use this).
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE OPENBSD_3_4_BASE
|
#
1.13 |
|
23-May-2002 |
markus |
branches: 1.13.4; 1.13.6; add /usr/libexec/ssh-keysign: a setuid helper program for hostbased authentication in protocol v2 (needs to access the hostkeys).
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.12 |
|
19-Mar-2002 |
stevesk |
branches: 1.12.2; _PATH_PRIVSEP_CHROOT_DIR; ok provos@
|
#
1.11 |
|
09-Feb-2002 |
deraadt |
move ssh config files to /etc/ssh
|
#
1.10 |
|
08-Dec-2001 |
stevesk |
use only one path to X11 UNIX domain socket vs. an array of paths to try. report from djast@cs.toronto.edu. ok markus@
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.9 |
|
23-Jun-2001 |
markus |
branches: 1.9.2; get rid of known_hosts2, use it for hostkey lookup, but do not modify.
|
#
1.8 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.7 |
|
22-Jun-2001 |
provos |
use /etc/moduli instead of /etc/primes, okay markus@
|
#
1.6 |
|
08-Jun-2001 |
markus |
move the path for xauth to pathnames.h
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
12-Apr-2001 |
markus |
branches: 1.5.2; implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.4 |
|
08-Feb-2001 |
stevesk |
branches: 1.4.2; 1.4.4; _PATH_LS; ok markus@
|
#
1.3 |
|
08-Feb-2001 |
markus |
allow sftp over ssh protocol 1; ok djm@
|
#
1.2 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.1 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
05-May-2017 |
naddy |
more simplification and removal of SSHv1-related code; ok djm@
|
#
1.26 |
|
03-May-2017 |
naddy |
remove miscellaneous SSH1 leftovers; ok markus@
|
Revision tags: OPENBSD_6_0_BASE OPENBSD_6_1_BASE
|
#
1.25 |
|
31-Mar-2016 |
dtucker |
Remove fallback from moduli to "primes" file that was deprecated in 2001 and fix log messages referring to primes file. Based on patch from xnox at ubuntu.com via bz#2559. "kill it" deraadt@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE
|
#
1.24 |
|
06-Dec-2013 |
markus |
support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.23 |
|
05-Apr-2013 |
djm |
use the existing _PATH_SSH_USER_RC define to construct the other pathnames; bz#2077, ok dtucker@ (no binary change)
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE
|
#
1.22 |
|
23-May-2011 |
djm |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
|
#
1.21 |
|
11-May-2011 |
djm |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.20 |
|
31-Aug-2010 |
djm |
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be subject to change.
feedback and ok markus@
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE
|
#
1.19 |
|
11-Feb-2010 |
djm |
correct comment
|
#
1.18 |
|
08-Feb-2010 |
markus |
replace our obsolete smartcard code with PKCS#11. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev
|
Revision tags: OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.17 |
|
29-Dec-2008 |
stevesk |
no need to escape single quotes in comments
|
Revision tags: OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE
|
#
1.16 |
|
25-Mar-2006 |
djm |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.15 |
|
11-Jul-2004 |
deraadt |
branches: 1.15.6; 1.15.8; spaces
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.14 |
|
30-Jan-2004 |
markus |
branches: 1.14.2; support for password change; ok dtucker@ (set password-dead=1w in login.conf to use this).
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE OPENBSD_3_4_BASE
|
#
1.13 |
|
23-May-2002 |
markus |
branches: 1.13.4; 1.13.6; add /usr/libexec/ssh-keysign: a setuid helper program for hostbased authentication in protocol v2 (needs to access the hostkeys).
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.12 |
|
19-Mar-2002 |
stevesk |
branches: 1.12.2; _PATH_PRIVSEP_CHROOT_DIR; ok provos@
|
#
1.11 |
|
09-Feb-2002 |
deraadt |
move ssh config files to /etc/ssh
|
#
1.10 |
|
08-Dec-2001 |
stevesk |
use only one path to X11 UNIX domain socket vs. an array of paths to try. report from djast@cs.toronto.edu. ok markus@
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.9 |
|
23-Jun-2001 |
markus |
branches: 1.9.2; get rid of known_hosts2, use it for hostkey lookup, but do not modify.
|
#
1.8 |
|
22-Jun-2001 |
markus |
merge authorized_keys2 into authorized_keys. authorized_keys2 is used for backward compat. (just append authorized_keys2 to authorized_keys).
|
#
1.7 |
|
22-Jun-2001 |
provos |
use /etc/moduli instead of /etc/primes, okay markus@
|
#
1.6 |
|
08-Jun-2001 |
markus |
move the path for xauth to pathnames.h
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
12-Apr-2001 |
markus |
branches: 1.5.2; implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) similar to RhostRSAAuthentication unless you enable (the experimental) HostbasedUsesNameFromPacketOnly option. please test. :)
|
#
1.4 |
|
08-Feb-2001 |
stevesk |
branches: 1.4.2; 1.4.4; _PATH_LS; ok markus@
|
#
1.3 |
|
08-Feb-2001 |
markus |
allow sftp over ssh protocol 1; ok djm@
|
#
1.2 |
|
29-Jan-2001 |
niklas |
$OpenBSD$
|
#
1.1 |
|
19-Jan-2001 |
markus |
move ssh1 definitions to ssh1.h, pathnames to pathnames.h
|