summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2013-01-09 - djm@cvs.openbsd.org 2013/01/03 12:49:01Damien Miller
[PROTOCOL] fix description of MAC calculation for EtM modes; ok markus@
2013-01-09 - djm@cvs.openbsd.org 2013/01/03 05:49:36Damien Miller
[servconf.h] add a couple of ServerOptions members that should be copied to the privsep child (for consistency, in this case they happen only to be accessed in the monitor); ok dtucker@
2013-01-09 - djm@cvs.openbsd.org 2013/01/02 00:33:49Damien Miller
[PROTOCOL.agent] correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED bz#2051 from david AT lechnology.com
2013-01-09 - djm@cvs.openbsd.org 2013/01/02 00:32:07Damien Miller
[clientloop.c mux.c] channel_setup_local_fwd_listener() returns 0 on failure, not -ve bz#2055 reported by mathieu.lacage AT gmail.com
2013-01-09 - dtucker@cvs.openbsd.org 2012/12/14 05:26:43Damien Miller
[auth.c] use correct string in error message; from rustybsd at gmx.fr
2012-12-17 - (dtucker) [Makefile.in] Add some scaffolding so that the new regressDarren Tucker
tests will work with VPATH directories.
2012-12-13 - (djm) [cipher.c] Fix missing prototype for compat codeDamien Miller
2012-12-13 - (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain ourDamien Miller
compat code for older OpenSSL
2012-12-13 - markus@cvs.openbsd.org 2012/12/12 16:45:52Damien Miller
[packet.c] reset incoming_packet buffer for each new packet in EtM-case, too; this happens if packets are parsed only parially (e.g. ignore messages sent when su/sudo turn off echo); noted by sthen/millert
2012-12-12 - (djm) [regress/Makefile] fix t-exec ruleDamien Miller
2012-12-12- (djm) [regress/integrity.sh] Fix awk quoting, packet length skipDamien Miller
2012-12-12 - (djm) [regress/Makefile regress/integrity.sh] Make the integrity.sh testDamien Miller
work on platforms without 'jot'
2012-12-12 - (djm) [mac.c] fix merge botchDamien Miller
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 23:12:13Damien Miller
[try-ciphers.sh] add hmac-ripemd160-etm@openssh.com
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 22:42:11Damien Miller
[regress/Makefile regress/modpipe.c regress/integrity.sh] test the integrity of the packets; with djm@
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 22:32:56Damien Miller
[regress/try-ciphers.sh] add etm modes
2012-12-12 - sthen@cvs.openbsd.org 2012/12/11 22:51:45Damien Miller
[mac.c] fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 22:31:18Damien Miller
[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h] [packet.c ssh_config.5 sshd_config.5] add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 22:16:21Damien Miller
[monitor.c] drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
2012-12-07 - dtucker@cvs.openbsd.org 2012/12/07 01:51:35Darren Tucker
[serverloop.c] Cast signal to int for logging. A no-op on openbsd (they're always ints) but will prevent warnings in portable. ok djm@
2012-12-07 - markus@cvs.openbsd.org 2012/12/05 15:42:52Darren Tucker
[ssh-add.c] prevent double-free of comment; ok djm@
2012-12-07 - jmc@cvs.openbsd.org 2012/12/03 08:33:03Darren Tucker
[ssh-add.1 sshd_config.5] tweak previous;
2012-12-07 - dtucker@cvs.openbsd.org 2012/12/06 06:06:54Darren Tucker
[regress/keys-command.sh] Fix some problems with the keys-command test: - use string comparison rather than numeric comparison - check for existing KEY_COMMAND file and don't clobber if it exists - clean up KEY_COMMAND file if we do create it. - check that KEY_COMMAND is executable (which it won't be if eg /var/run is mounted noexec). ok djm.
2012-12-0420121205Tim Rice
- (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@.
2012-12-03 - (djm) [configure.ac] Revert previous. configure.ac already does thisDamien Miller
for us.
2012-12-03 - (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installationDamien Miller
debugging. ok dtucker@
2012-12-03 - djm@cvs.openbsd.org 2012/12/03 00:14:06Damien Miller
[auth2-chall.c ssh-keygen.c] Fix compilation with -Wall -Werror (trivial type fixes)
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:47:48Damien Miller
[Makefile regress/forward-control.sh] regress for AllowTcpForwarding local/remote; ok markus@
2012-12-03 - djm@cvs.openbsd.org 2012/11/22 22:49:30Damien Miller
[regress/Makefile regress/keys-command.sh] regress for AuthorizedKeysCommand; hints from markus@
2012-12-03 - djm@cvs.openbsd.org 2012/10/19 05:10:42Damien Miller
[regress/cert-userkey.sh] include a serial number when generating certs
2012-12-03 - dtucker@cvs.openbsd.org 2012/10/05 02:20:48Damien Miller
[regress/cipher-speed.sh regress/try-ciphers.sh] Add umac-128@openssh.com to the list of MACs to be tested
2012-12-03 - dtucker@cvs.openbsd.org 2012/10/05 02:05:30Damien Miller
[regress/multiplex.sh] Use 'kill -0' to test for the presence of a pid since it's more portable
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:34:10Damien Miller
[auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c] [monitor.c monitor.h] Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state. Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive. Fix multiple authentication when one of the methods is keyboard-interactive. ok markus@
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:46:11Damien Miller
[auth-options.c channels.c servconf.c servconf.h serverloop.c session.c] [sshd_config.5] make AllowTcpForwarding accept "local" and "remote" in addition to its current "yes"/"no" to allow the server to specify whether just local or remote TCP forwarding is enabled. ok markus@
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:42:15Damien Miller
[ssh-add.1 ssh-add.c] make deleting explicit keys "ssh-add -d" symmetric with adding keys - try to delete the corresponding certificate too and respect the -k option to allow deleting of the key only; feedback and ok markus@
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:26:11Damien Miller
[ssh_config.5 sshconnect2.c] Make IdentitiesOnly apply to keys obtained from a PKCS11Provider. This allows control of which keys are offered from tokens using IdentityFile. ok markus@
2012-12-03 - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to getDamien Miller
TAILQ_FOREACH_SAFE needed for upcoming changes.
2012-11-14 - djm@cvs.openbsd.org 2012/11/14 02:32:15Damien Miller
[ssh-keygen.c] allow the full range of unsigned serial numbers; 'fine' deraadt@
2012-11-14 - djm@cvs.openbsd.org 2012/11/14 02:24:27Damien Miller
[auth2-pubkey.c] fix username passed to helper program prepare stdio fds before closefrom() spotted by landry@
2012-11-07 - jmc@cvs.openbsd.org 2012/09/26 17:34:38Damien Miller
[moduli.5] last stage of rfc changes, using consistent Rs/Re blocks, and moving the references into a STANDARDS section;
2012-11-07 - eric@cvs.openbsd.org 2011/11/28 08:46:27Damien Miller
[moduli.5] fix formula ok djm@
2012-11-05 - (dtucker) [auth2-pubkey.c] wrap paths.h in an ifdef for platforms thatDarren Tucker
don't have it. Spotted by tim@.
2012-11-05 - (dtucker) [uidswap.c openbsd-compat/Makefile.inDarren Tucker
openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h openbsd-compat/openbsd-compat.h] Move the fallback code for setting uids and gids from uidswap.c to the compat library, which allows it to work with the new setresuid calls in auth2-pubkey. with tim@, ok djm@
2012-11-04 - djm@cvs.openbsd.org 2012/11/04 11:09:15Damien Miller
[auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c] [sshd_config.5] Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
2012-11-04 - djm@cvs.openbsd.org 2012/11/04 10:38:43Damien Miller
[auth2-pubkey.c sshd.c sshd_config.5] Remove default of AuthorizedCommandUser. Administrators are now expected to explicitly specify a user. feedback and ok markus@
2012-11-04 - OpenBSD CVS SyncDamien Miller
- jmc@cvs.openbsd.org 2012/10/31 08:04:50 [sshd_config.5] tweak previous;
2012-10-31 - djm@cvs.openbsd.org 2012/10/30 21:29:55Damien Miller
[auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h] [sshd.c sshd_config sshd_config.5] new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option. patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
2012-10-31 - (djm) OpenBSD CVS SyncDamien Miller
- markus@cvs.openbsd.org 2012/10/05 12:34:39 [sftp.c] fix signed vs unsigned warning; feedback & ok: djm@
2012-10-18 - (tim) [buildpkg.sh.in] Double up on some backslashes so they end up inTim Rice
the generated file as intended.
2012-10-05 - [Makefile.in] "Using $< in a non-suffix rule context is a GNUmake idiom"Darren Tucker