summaryrefslogtreecommitdiff
path: root/auth2-gss.c
Commit message (Collapse)AuthorAgeFilesLines
* upstream: clamp max number of GSSAPI mechanisms to 2048; ok dtuckerdjm@openbsd.org2023-03-311-3/+9
| | | | OpenBSD-Commit-ID: ce66db603a913d3dd57063e330cb5494d70722c4
* upstream: prepare for multiple names for authmethodsdjm@openbsd.org2021-12-201-2/+3
| | | | | | | | | | | | | | | | | allow authentication methods to have one additional name beyond their primary name. allow lookup by this synonym Use primary name for authentication decisions, e.g. for PermitRootLogin=publickey Pass actual invoked name to the authmethods, so they can tell whether they were requested via the their primary name or synonym. ok markus@ OpenBSD-Commit-ID: 9e613fcb44b8168823195602ed3d09ffd7994559
* upstream: this needs kex.h nowdjm@openbsd.org2021-01-271-1/+2
| | | | OpenBSD-Commit-ID: c5a42166c5aa002197217421a971e48be7cb5d41
* upstream: make ssh->kex->session_id a sshbuf instead of u_char*/size_tdjm@openbsd.org2021-01-271-2/+2
| | | | | | | and use that instead of global variables containing copies of it. feedback/ok markus@ OpenBSD-Commit-ID: a4b1b1ca4afd2e37cb9f64f737b30a6a7f96af68
* upstream: use the new variant log macros instead of prependingdjm@openbsd.org2020-10-181-13/+13
| | | | | | __func__ and appending ssh_err(r) manually; ok markus@ OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
* upstream: delay bailout for invalid authenticdjm@openbsd.org2018-07-311-4/+7
| | | | | | | | | | | =?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?= =?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?= =?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
* upstream: kerberos/gssapi fixes for buffer removaldjm@openbsd.org2018-07-101-5/+12
| | | | OpenBSD-Commit-ID: 1cdf56fec95801e4563c47f21696f04cd8b60c4c
* upstream: sshd: switch GSSAPI to sshbuf API; ok djm@markus@openbsd.org2018-07-101-40/+55
| | | | OpenBSD-Commit-ID: e48449ab4be3f006f7ba33c66241b7d652973e30
* upstream commitdjm@openbsd.org2017-06-241-1/+11
| | | | | | | | | | | refactor authentication logging optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@ Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
* upstream commitmarkus@openbsd.org2017-05-311-21/+22
| | | | | | switch auth2 to ssh_dispatch API; ok djm@ Upstream-ID: a752ca19e2782900dd83060b5c6344008106215f
* upstream commitmarkus@openbsd.org2017-05-311-13/+9
| | | | | | protocol handlers all get struct ssh passed; ok djm@ Upstream-ID: 0ca9ea2a5d01a6d2ded94c5024456a930c5bfb5d
* upstream commitmarkus@openbsd.org2017-05-311-5/+9
| | | | | | sshd: pass struct ssh to auth functions; ok djm@ Upstream-ID: b00a80c3460884ebcdd14ef550154c761aebe488
* upstream commitmarkus@openbsd.org2015-01-201-9/+13
| | | | move dispatch to struct ssh; ok djm@
* - (dtucker) [auth2-gss.c gss-serv-krb5.c] Include misc.h for fwd_opts, usedDarren Tucker2014-07-191-0/+1
| | | | in servconf.h.
* - djm@cvs.openbsd.org 2014/02/26 20:28:44Damien Miller2014-02-271-7/+2
| | | | | | | [auth2-gss.c gss-serv.c ssh-gss.h sshd.c] bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep sandboxing, as running this code in the sandbox can cause violations; ok markus@
* - djm@cvs.openbsd.org 2013/05/17 00:13:13Darren Tucker2013-06-021-9/+8
| | | | | | | | | | | | | | | | | | [xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c dns.c packet.c readpass.c authfd.c moduli.c] bye, bye xfree(); ok markus@
* - djm@cvs.openbsd.org 2013/04/05 00:14:00Damien Miller2013-04-231-4/+1
| | | | | [auth2-gss.c krl.c sshconnect2.c] hush some {unused, printf type} warnings
* - djm@cvs.openbsd.org 2012/12/02 20:34:10Damien Miller2012-12-031-4/+4
| | | | | | | | | | | | | | | | [auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c] [monitor.c monitor.h] Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state. Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive. Fix multiple authentication when one of the methods is keyboard-interactive. ok markus@
* - OpenBSD CVS SyncDamien Miller2011-05-051-1/+3
| | | | | | | | - djm@cvs.openbsd.org 2011/03/10 02:52:57 [auth2-gss.c auth2.c] allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 from simon AT sxw.org.uk; ok markus@ before lock
* - dtucker@cvs.openbsd.org 2007/10/29 00:52:45Darren Tucker2007-12-021-1/+1
| | | | | | [auth2-gss.c] Allow build without -DGSSAPI; ok deraadt@ (Id sync only, Portable already has the ifdefs)
* - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c]Damien Miller2006-09-011-0/+2
| | | | | | | | | | | | | | | | | [auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c] [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c] [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c] [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c] [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c] [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c] [sshconnect1.c sshconnect2.c sshd.c rc4.diff] [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c] [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c] [openbsd-compat/port-uw.c] Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h; compile problems reported by rac AT tenzing.org
* - (dtucker) [auth2-gss.c] We still need the #ifdef GSSAPI in -portable.Darren Tucker2006-08-051-0/+4
|
* - deraadt@cvs.openbsd.org 2006/08/03 03:34:42Damien Miller2006-08-051-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] [serverloop.c session.c session.h sftp-client.c sftp-common.c] [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step NB. portable commit contains everything *except* removing includes.h, as that will take a fair bit more work as we move headers that are required for portability workarounds to defines.h. (also, this step wasn't "easy")
* - djm@cvs.openbsd.org 2006/03/25 22:22:43Damien Miller2006-03-261-1/+1
| | | | | | | | | | | | | | [atomicio.h auth-options.h auth.h auth2-gss.c authfd.h authfile.h] [bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h] [compat.h compress.h crc32.c crc32.h deattack.h dh.h dispatch.h] [dns.c dns.h getput.h groupaccess.h gss-genr.c gss-serv-krb5.c] [gss-serv.c hostfile.h includes.h kex.h key.h log.h mac.h match.h] [misc.h monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h msg.h] [myproposal.h packet.h pathnames.h progressmeter.h readconf.h rsa.h] [scard.h servconf.h serverloop.h session.h sftp-common.h sftp.h] [ssh-gss.h ssh.h ssh1.h ssh2.h sshconnect.h sshlogin.h sshpty.h] [ttymodes.h uidswap.h uuencode.h xmalloc.h] standardise spacing in $OpenBSD$ tags; requested by deraadt@
* - djm@cvs.openbsd.org 2006/03/20 04:07:22Damien Miller2006-03-261-1/+3
| | | | | | [auth2-gss.c] GSSAPI related leaks detected by Coverity via elad AT netbsd.org; reviewed by simon AT sxw.org.uk; deraadt@ ok
* - stevesk@cvs.openbsd.org 2005/10/13 22:24:31Damien Miller2005-11-051-3/+3
| | | | | [auth2-gss.c gss-genr.c gss-serv.c monitor.c] KNF; ok djm@
* - stevesk@cvs.openbsd.org 2005/10/13 14:03:01Damien Miller2005-11-051-2/+1
| | | | | [auth2-gss.c gss-genr.c gss-serv.c] remove unneeded #includes; ok markus@
* - djm@cvs.openbsd.org 2005/07/17 07:17:55Damien Miller2005-07-171-4/+3
| | | | | | | | [auth-rh-rsa.c auth-rhosts.c auth2-chall.c auth2-gss.c channels.c] [cipher-ctr.c gss-genr.c gss-serv.c kex.c moduli.c readconf.c] [serverloop.c session.c sftp-client.c sftp.c ssh-add.c ssh-keygen.c] [sshconnect.c sshconnect2.c] knf says that a 2nd level indent is four (not three or five) spaces
* - djm@cvs.openbsd.org 2005/06/17 02:44:33Damien Miller2005-06-171-2/+2
| | | | | | | | | | | [auth-rsa.c auth.c auth1.c auth2-chall.c auth2-gss.c authfd.c authfile.c] [bufaux.c canohost.c channels.c cipher.c clientloop.c dns.c gss-serv.c] [kex.c kex.h key.c mac.c match.c misc.c packet.c packet.h scp.c] [servconf.c session.c session.h sftp-client.c sftp-server.c sftp.c] [ssh-keyscan.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c sshd.c] make this -Wsign-compare clean; ok avsm@ markus@ NB. auth1.c changes not committed yet (conflicts with uncommitted sync) NB2. more work may be needed to make portable Wsign-compare clean
* - avsm@cvs.openbsd.org 2004/06/21 17:36:31Darren Tucker2004-06-221-6/+6
| | | | | | | | | | | | | [auth-rsa.c auth2-gss.c auth2-pubkey.c authfile.c canohost.c channels.c cipher.c dns.c kex.c monitor.c monitor_fdpass.c monitor_wrap.c monitor_wrap.h nchan.c packet.c progressmeter.c scp.c sftp-server.c sftp.c ssh-gss.h ssh-keygen.c ssh.c sshconnect.c sshconnect1.c sshlogin.c sshpty.c] make ssh -Wshadow clean, no functional changes markus@ ok There are also some portable-specific -Wshadow warnings to be fixed in monitor.c and montior_wrap.c.
* more whitespace (tabs this time)Damien Miller2003-11-211-7/+7
|
* - djm@cvs.openbsd.org 2003/11/21 11:57:03Damien Miller2003-11-211-4/+4
| | | | | | [everything] unexpand and delete whitespace at EOL; ok markus@ (done locally and RCS IDs synced)
* - markus@cvs.openbsd.org 2003/11/17 11:06:07Damien Miller2003-11-171-11/+57
| | | | | | | [auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h monitor_wrap.c] [monitor_wrap.h sshconnect2.c ssh-gss.h] replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
* - markus@cvs.openbsd.org 2003/11/02 11:01:03Darren Tucker2003-11-031-11/+11
| | | | | [auth2-gss.c compat.c compat.h sshconnect2.c] remove support for SSH_BUG_GSSAPI_BER; simon@sxw.org.uk
* - markus@cvs.openbsd.org 2003/10/21 09:50:06Darren Tucker2003-11-031-1/+3
| | | | | [auth2-gss.c] make sure the doid is larger than 2
* - markus@cvs.openbsd.org 2003/09/01 20:44:54Damien Miller2003-09-021-2/+4
| | | | | [auth2-gss.c] fix leak
* - (djm) OpenBSD CVS SyncDamien Miller2003-09-021-2/+4
| | | | | | - deraadt@cvs.openbsd.org 2003/08/24 17:36:51 [auth2-gss.c] 64 bit cleanups; markus ok
* - markus@cvs.openbsd.org 2003/08/22 10:56:09Darren Tucker2003-08-261-0/+243
[auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c session.h ssh-gss.h ssh_config.5 sshconnect2.c sshd_config sshd_config.5] support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
View Lorry Controller Status