- djm@cvs.openbsd.org 2008/11/04 08:22:13

[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h] [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5] [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c] [Makefile.in] Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008. This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint. This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc). "just commit it. It isn't too intrusive." deraadt@
author: Damien Miller <djm@mindrot.org> 2008-11-05 16:20:46 +1100
committer: Damien Miller <djm@mindrot.org> 2008-11-05 16:20:46 +1100
commit: 01ed2272a1545336173bf3aef66fbccc3494c8d8 (patch)
tree: a77f115d3b8964f0b6fcc604f9dea87d15143d7e /ssh_config.5
parent: 6f66d34308af787613d5525729953665f26367ee (diff)
1 files changed, 13 insertions, 2 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 254940ef8..abc3b0b16 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.114 2008/10/17 18:36:24 stevesk Exp $
+.\" $OpenBSD: ssh_config.5,v 1.115 2008/11/04 08:22:13 djm Exp $
-.Dd $Mdocdate: October 17 2008 $
+.Dd $Mdocdate: November 4 2008 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -1079,6 +1079,17 @@ Specifies the full pathname of the
 program.
 The default is
 .Pa /usr/X11R6/bin/xauth .
+.It Cm ZeroKnowledgePasswordAuthentication
+Specifies whether to use zero knowledge password authentication.
+This authentication method avoids exposure of password to untrusted
+hosts.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+The default is currently
+.Dq no
+as this method is considered experimental.
 .El
 .Sh PATTERNS
 A
author	Damien Miller <djm@mindrot.org>	2008-11-05 16:20:46 +1100
committer	Damien Miller <djm@mindrot.org>	2008-11-05 16:20:46 +1100
commit	01ed2272a1545336173bf3aef66fbccc3494c8d8 (patch)
tree	a77f115d3b8964f0b6fcc604f9dea87d15143d7e /ssh_config.5
parent	6f66d34308af787613d5525729953665f26367ee (diff)

diff --git a/ssh_config.5 b/ssh_config.5 index 254940ef8..abc3b0b16 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh_config.5,v 1.114 2008/10/17 18:36:24 stevesk Exp $	37	.\" $OpenBSD: ssh_config.5,v 1.115 2008/11/04 08:22:13 djm Exp $
38	.Dd $Mdocdate: October 17 2008 $	38	.Dd $Mdocdate: November 4 2008 $
39	.Dt SSH_CONFIG 5	39	.Dt SSH_CONFIG 5
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -1079,6 +1079,17 @@ Specifies the full pathname of the
1079	program.	1079	program.
1080	The default is	1080	The default is
1081	.Pa /usr/X11R6/bin/xauth .	1081	.Pa /usr/X11R6/bin/xauth .
		1082	.It Cm ZeroKnowledgePasswordAuthentication
		1083	Specifies whether to use zero knowledge password authentication.
		1084	This authentication method avoids exposure of password to untrusted
		1085	hosts.
		1086	The argument to this keyword must be
		1087	.Dq yes
		1088	or
		1089	.Dq no .
		1090	The default is currently
		1091	.Dq no
		1092	as this method is considered experimental.
1082	.El	1093	.El
1083	.Sh PATTERNS	1094	.Sh PATTERNS
1084	A	1095	A