| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
markus@
OpenBSD-Commit-ID: e8d14a09cda3f1dc55df08f8a4889beff74e68b0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a
FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using
these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line
structs that is passed directly from the load_hostkeys() and
hostkeys_foreach() call. This is a lightweight way to annotate results
between different invocations of load_hostkeys().
ok markus@
OpenBSD-Commit-ID: 6ff6db13ec9ee4edfa658b2c38baad0f505d8c20
|
|
|
|
|
|
|
| |
from the server through asmprintf() prior to display; suggested by and ok
dtucker@
OpenBSD-Commit-ID: 31fe93367645c37fbfe4691596bf6cf1e3972a58
|
|
|
|
|
|
|
| |
make it easier to determine which connection they are associated with in
cases like scp -3, ProxyJump, etc. bz#3224 ok dtucker
OpenBSD-Commit-ID: 67e6189b04b46c867662f8a6759cf3ecb5f59170
|
|
|
|
|
|
| |
user once the touch has been recorded; requested by claudio@ ok markus@
OpenBSD-Commit-ID: 3b76ee444490e546b9ea7f879e4092ee0d256233
|
|
|
|
|
|
| |
kex_assemble_namelist() fails
OpenBSD-Commit-ID: a9975ee8db6c98d6f32233d88051b2077ca63dab
|
|
|
|
| |
OpenBSD-Commit-ID: efefc1c47e880887bdee8cd2127ca93177eaad79
|
|
|
|
|
|
| |
__func__ and appending ssh_err(r) manually; ok markus@
OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
|
|
|
|
|
|
| |
functions
OpenBSD-Commit-ID: 88077b826d348c58352a6b394755520f4e484480
|
|
|
|
|
|
|
|
|
| |
key (commitid VtF8vozGOF8DMKVg). We now do this a simpler way that needs less
plumbing.
ok markus@
OpenBSD-Commit-ID: fb92d25b216bff8c136da818ac2221efaadf18ed
|
|
|
|
|
|
| |
the ECDSA key subtype; ok markus@
OpenBSD-Commit-ID: 3097686f853c61ff61772ea35f8b699931392ece
|
|
|
|
|
|
|
|
| |
certificate host key to a plain key. This occurs when the user connects to a
host with a certificate host key but no corresponding CA key configured in
known_hosts; feedback and ok markus@
OpenBSD-Commit-ID: 2ada81853ff9ee7824c62f440bcf4ad62030c901
|
|
|
|
|
|
|
|
|
| |
prefer the default ordering if the user has a key that matches the
best-preference default algorithm.
feedback and ok markus@
OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
|
|
|
|
|
|
| |
OK djm@
OpenBSD-Commit-ID: 454b40e09a117ddb833794358970a65b14c431ef
|
|
|
|
| |
OpenBSD-Commit-ID: ed405a12bd27bdc9c52e169bc5ff3529b4ebbbb2
|
|
|
|
|
|
|
| |
server, prefer certificate types if the known_hosts files contain a key
marked as a @cert-authority; bz#3157 ok markus@
OpenBSD-Commit-ID: 8f194573e5bb7c01b69bbfaabc68f27c9fa5e0db
|
|
|
|
|
|
| |
apply to keys loaded from a PKCS11Provider; bz3141, ok dtucker@
OpenBSD-Commit-ID: e3dd6424b94685671fe84c9b9dbe352fb659f677
|
|
|
|
|
|
|
|
| |
algorithms from the default set (i.e. HostkeyAlgorithms=+/-...), retain the
default behaviour of preferring those algorithms that have existing keys in
known_hosts; ok markus
OpenBSD-Commit-ID: 040e7fcc38ea00146b5d224ce31ce7a1795ee6ed
|
|
|
|
|
|
|
|
|
|
|
| |
messages.
This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
OpenBSD-Commit-ID: 7c63800e9c340c59440a054cde9790a78f18592e
|
|
|
|
|
|
|
| |
that allows building without zlib compression and associated options. With
feedback from markus@, ok djm@
OpenBSD-Commit-ID: 44c6e1133a90fd15a3aa865bdedc53bab28b7910
|
|
|
|
|
|
|
|
| |
sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which should reduce
the potential for short read/write operations.
OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
|
|
|
|
|
|
|
|
|
|
| |
time and remove ifdef and distinct settings for OPENSSL=no case.
This will make things much simpler for -portable where the exact set
of algos depends on the configuration of both OpenSSH and the libcrypto
it's linked against (if any). ok djm@
OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
|
|
|
|
|
|
| |
messages
OpenBSD-Commit-ID: 6da47a0e6373f6683006f49bc2a516d197655508
|
|
|
|
|
|
| |
path too
OpenBSD-Commit-ID: c7628bf80505c1aefbb1de7abc8bb5ee51826829
|
|
|
|
| |
OpenBSD-Commit-ID: b5b15674cde1b54d6dbbae8faf30d47e6e5d6513
|
|
|
|
|
|
|
|
|
| |
order to perform a signature operation. Notify the user when this is expected
via the TTY (if available) or $SSH_ASKPASS if we can.
ok markus@
OpenBSD-Commit-ID: 0ef90a99a85d4a2a07217a58efb4df8444818609
|
|
|
|
| |
OpenBSD-Commit-ID: 1a399c5b3ef15bd8efb916110cf5a9e0b554ab7e
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.
Suggested by / ok markus@
OpenBSD-Commit-ID: d5193a03fcfa895085d91b2b83d984a9fde76c8c
|
|
|
|
| |
OpenBSD-Commit-ID: eb2cfa6cf7419a1895e06e398ea6d41516c5b0bc
|
|
|
|
|
|
|
| |
sshkey_load_private_type will now return SSH_ERR_KEY_BAD_PERMISSIONS in that
case. Patch from jitendra.sharma at intel.com, ok djm@
OpenBSD-Commit-ID: 07916a17ed0a252591b71e7fb4be2599cb5b0c77
|
|
|
|
| |
OpenBSD-Commit-ID: 824baf9c59afc66a4637017e397b9b74a41684e7
|
|
|
|
|
|
|
|
| |
some arbitrary value < 0. errno is only updated in this case. Change all
(most?) callers of syscalls to follow this better, and let's see if this
strictness helps us in the future.
OpenBSD-Commit-ID: 48081f00db7518e3b712a49dca06efc2a5428075
|
|
|
|
|
|
| |
caused by a typo (STDIN_FILENO vs STDERR_FILENO)
OpenBSD-Commit-ID: 57a0b4be7bef23963afe24150e24bf014fdd9cb0
|
|
|
|
|
|
|
| |
the socket into fd3, so as to not mistakenly leak other fd forward
accidentally. ok djm
OpenBSD-Commit-ID: 24cc753f5aa2c6a7d0fbf62766adbc75cd785296
|
|
|
|
|
|
| |
public key from the agent was being attempted for use.
OpenBSD-Commit-ID: 07116aea521a04888718b2157f1ca723b2f46c8d
|
|
|
|
|
|
|
|
|
|
| |
authmethod. Move function-static GSSAPI state to the client Authctxt
structure. Make static a bunch of functions that aren't used outside this
file.
Based on patch from Markus Schmidt <markus@blueflash.cc>; ok markus@
OpenBSD-Commit-ID: 497fb792c0ddb4f1ba631b6eed526861f115dbe5
|
|
|
|
|
|
|
|
| |
KEM has been renamed to kexgen
from markus@ ok djm@
OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
|
|
|
|
|
|
| |
from markus@ ok djm@
OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c
|
|
|
|
|
|
| |
from markus@ ok djm@
OpenBSD-Commit-ID: af56466426b08a8be275412ae2743319e3d277c9
|
|
|
|
| |
OpenBSD-Commit-ID: 38d937b85ff770886379dd66a8f32ab0c1c35c1f
|
|
|
|
|
|
|
|
|
|
|
|
| |
sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime
4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not
enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
|
|
|
|
| |
OpenBSD-Commit-ID: 37e4f06ab4a0f4214430ff462ba91acba28b7851
|
|
|
|
|
|
|
|
| |
API
with & ok markus@
OpenBSD-Commit-ID: 0986d324f2ceb5e8a12ac21c1bb10b3b4b1e0f71
|
|
|
|
|
|
| |
with & ok markus@
OpenBSD-Commit-ID: 1cb869e0d6e03539f943235641ea070cae2ebc58
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.
with & ok markus@
OpenBSD-Commit-ID: 93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4
|
|
|
|
|
|
|
| |
passwd/kbdint authmethods by moving them to the client authctxt; Patch from
Markus Schmidt, ok markus@
OpenBSD-Commit-ID: 4df4404a5d5416eb056f68e0e2f4fa91ba3b3f7f
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ssh->kex and factor out the banner exchange. This eliminates some common code
from the client and server.
Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@
OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b
|
|
|
|
| |
OpenBSD-Commit-ID: e6ca01a8d58004b7f2cac0b1b7ce8f87e425e360
|
|
|
|
|
|
|
| |
socket around for the life of the connection; bz#2912; reported by Simon
Tatham; ok dtucker@
OpenBSD-Commit-ID: 4ded588301183d343dce3e8c5fc1398e35058478
|