diff options
| author | Colin Watson <cjwatson@debian.org> | 2010-03-31 10:46:28 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2010-03-31 10:46:28 +0100 |
| commit | efd3d4522636ae029488c2e9730b60c88e257d2e (patch) | |
| tree | 31e02ac3f16090ce8c53448677356b2b7f423683 /authfd.c | |
| parent | bbec4db36d464ea1d464a707625125f9fd5c7b5e (diff) | |
| parent | d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff) | |
* New upstream release (LP: #535029).
- After a transition period of about 10 years, this release disables SSH
protocol 1 by default. Clients and servers that need to use the
legacy protocol must explicitly enable it in ssh_config / sshd_config
or on the command-line.
- Remove the libsectok/OpenSC-based smartcard code and add support for
PKCS#11 tokens. This support is enabled by default in the Debian
packaging, since it now doesn't involve additional library
dependencies (closes: #231472, LP: #16918).
- Add support for certificate authentication of users and hosts using a
new, minimal OpenSSH certificate format (closes: #482806).
- Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
- Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian
package, this overlaps with the key blacklisting facility added in
openssh 1:4.7p1-9, but with different file formats and slightly
different scopes; for the moment, I've roughly merged the two.)
- Various multiplexing improvements, including support for requesting
port-forwardings via the multiplex protocol (closes: #360151).
- Allow setting an explicit umask on the sftp-server(8) commandline to
override whatever default the user has (closes: #496843).
- Many sftp client improvements, including tab-completion, more options,
and recursive transfer support for get/put (LP: #33378). The old
mget/mput commands never worked properly and have been removed
(closes: #270399, #428082).
- Do not prompt for a passphrase if we fail to open a keyfile, and log
the reason why the open failed to debug (closes: #431538).
- Prevent sftp from crashing when given a "-" without a command. Also,
allow whitespace to follow a "-" (closes: #531561).
Diffstat (limited to 'authfd.c')
| -rw-r--r-- | authfd.c | 24 |
1 files changed, 22 insertions, 2 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: authfd.c,v 1.80 2006/08/03 03:34:41 deraadt Exp $ */ | 1 | /* $OpenBSD: authfd.c,v 1.82 2010/02/26 20:29:54 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -483,6 +483,16 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) | |||
| 483 | buffer_put_bignum2(b, key->rsa->p); | 483 | buffer_put_bignum2(b, key->rsa->p); |
| 484 | buffer_put_bignum2(b, key->rsa->q); | 484 | buffer_put_bignum2(b, key->rsa->q); |
| 485 | break; | 485 | break; |
| 486 | case KEY_RSA_CERT: | ||
| 487 | if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) | ||
| 488 | fatal("%s: no cert/certblob", __func__); | ||
| 489 | buffer_put_string(b, buffer_ptr(&key->cert->certblob), | ||
| 490 | buffer_len(&key->cert->certblob)); | ||
| 491 | buffer_put_bignum2(b, key->rsa->d); | ||
| 492 | buffer_put_bignum2(b, key->rsa->iqmp); | ||
| 493 | buffer_put_bignum2(b, key->rsa->p); | ||
| 494 | buffer_put_bignum2(b, key->rsa->q); | ||
| 495 | break; | ||
| 486 | case KEY_DSA: | 496 | case KEY_DSA: |
| 487 | buffer_put_bignum2(b, key->dsa->p); | 497 | buffer_put_bignum2(b, key->dsa->p); |
| 488 | buffer_put_bignum2(b, key->dsa->q); | 498 | buffer_put_bignum2(b, key->dsa->q); |
| @@ -490,6 +500,13 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) | |||
| 490 | buffer_put_bignum2(b, key->dsa->pub_key); | 500 | buffer_put_bignum2(b, key->dsa->pub_key); |
| 491 | buffer_put_bignum2(b, key->dsa->priv_key); | 501 | buffer_put_bignum2(b, key->dsa->priv_key); |
| 492 | break; | 502 | break; |
| 503 | case KEY_DSA_CERT: | ||
| 504 | if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) | ||
| 505 | fatal("%s: no cert/certblob", __func__); | ||
| 506 | buffer_put_string(b, buffer_ptr(&key->cert->certblob), | ||
| 507 | buffer_len(&key->cert->certblob)); | ||
| 508 | buffer_put_bignum2(b, key->dsa->priv_key); | ||
| 509 | break; | ||
| 493 | } | 510 | } |
| 494 | buffer_put_cstring(b, comment); | 511 | buffer_put_cstring(b, comment); |
| 495 | } | 512 | } |
| @@ -517,7 +534,9 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key, | |||
| 517 | ssh_encode_identity_rsa1(&msg, key->rsa, comment); | 534 | ssh_encode_identity_rsa1(&msg, key->rsa, comment); |
| 518 | break; | 535 | break; |
| 519 | case KEY_RSA: | 536 | case KEY_RSA: |
| 537 | case KEY_RSA_CERT: | ||
| 520 | case KEY_DSA: | 538 | case KEY_DSA: |
| 539 | case KEY_DSA_CERT: | ||
| 521 | type = constrained ? | 540 | type = constrained ? |
| 522 | SSH2_AGENTC_ADD_ID_CONSTRAINED : | 541 | SSH2_AGENTC_ADD_ID_CONSTRAINED : |
| 523 | SSH2_AGENTC_ADD_IDENTITY; | 542 | SSH2_AGENTC_ADD_IDENTITY; |
| @@ -565,7 +584,8 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key) | |||
| 565 | buffer_put_int(&msg, BN_num_bits(key->rsa->n)); | 584 | buffer_put_int(&msg, BN_num_bits(key->rsa->n)); |
| 566 | buffer_put_bignum(&msg, key->rsa->e); | 585 | buffer_put_bignum(&msg, key->rsa->e); |
| 567 | buffer_put_bignum(&msg, key->rsa->n); | 586 | buffer_put_bignum(&msg, key->rsa->n); |
| 568 | } else if (key->type == KEY_DSA || key->type == KEY_RSA) { | 587 | } else if (key_type_plain(key->type) == KEY_DSA || |
| 588 | key_type_plain(key->type) == KEY_RSA) { | ||
| 569 | key_to_blob(key, &blob, &blen); | 589 | key_to_blob(key, &blob, &blen); |
| 570 | buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY); | 590 | buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY); |
| 571 | buffer_put_string(&msg, blob, blen); | 591 | buffer_put_string(&msg, blob, blen); |