Age | Commit message (Collapse) | Author |
|
- djm@cvs.openbsd.org 2010/04/16 01:58:45
[regress/cert-hostkey.sh regress/cert-userkey.sh]
regression tests for v01 certificate format
includes interop tests for v00 certs
|
|
[sshconnect.c]
oops, %r => remote username, not %u
|
|
[ssh-keygen.1 ssh-keygen.c]
tweak previous; ok djm
|
|
- jmc@cvs.openbsd.org 2010/04/16 06:45:01
[ssh_config.5]
tweak previous; ok djm
|
|
[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c]
[auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c]
[ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c]
[sshconnect.c sshconnect2.c sshd.c]
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
following changes:
move the nonce field to the beginning of the certificate where it can
better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation
(use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
|
[ssh-pkcs11.c]
retry lookup for private key if there's no matching key with CKA_SIGN
attribute enabled; this fixes fixes MuscleCard support (bugzilla #1736)
ok djm@
|
|
[ssh_config.5 sshconnect.c]
expand %r => remote username in ssh_config:ProxyCommand;
ok deraadt markus
|
|
[mux.c]
fix NULL dereference; from matthew.haub AT alumni.adelaide.edu.au
|
|
[sshconnect2.c]
show the key type that we are offering in debug(), helps distinguish
between certs and plain keys as the path to the private key is usually
the same.
|
|
[clientloop.c]
bz#1698: kill channel when pty allocation requests fail. Fixed
stuck client if the server refuses pty allocation.
ok dtucker@ "think so" markus@
|
|
[sshconnect.c]
fix terminology: we didn't find a certificate in known_hosts, we found
a CA key
|
|
[ssh.c]
bz#1746 - suppress spurious tty warning when using -O and stdin
is not a tty; ok dtucker@ markus@
|
|
[ssh_config.5]
tweak previous; ok dtucker
|
|
[ssh.1]
tweak previous;
|
|
- djm@cvs.openbsd.org 2010/03/26 03:13:17
[bufaux.c]
allow buffer_get_int_ret/buffer_get_int64_ret to take a NULL pointer
argument to allow skipping past values in a buffer
|
|
|
|
back so we disable the IPv6 tests if we don't have it.
|
|
utmpx support on FreeBSD where possible. Patch from Ed Schouten, ok djm@
|
|
have it and the path is not provided to --with-libedit. Based on a patch
from Iain Morgan.
|
|
ones. Based on a patch from Roumen Petrov.
|
|
[ssh_config.5]
Reformat default value of PreferredAuthentications entry (current
formatting implies ", " is acceptable as a separator, which it's not.
ok djm@
|
|
[ssh.1]
mention that -S none disables connection sharing; from Colin Watson
|
|
bz#1723 patch from Adeodato Simó via Colin Watson; ok dtucker@
|
|
pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold).
|
|
ok dtucker@
|
|
set up SELinux execution context before chroot() call. From Russell
Coker via Colin watson; bz#1726 ok dtucker@
|
|
[servconf.c]
from portable: getcwd(NULL, 0) doesn't work on all platforms, so
use a stack buffer; ok dtucker@
|
|
by Ingo Weinhold via Scott McCreary, ok djm@
|
|
for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson
|
|
containing the services file explicitely case-insensitive. This allows to
tweak the Windows services file reliably. Patch from vinschen at redhat.
|
|
[contrib/suse/openssh.spec] Crank version numbers
|
|
[version.h]
crank version to openssh-5.5 since we have a few fixes since 5.4;
requested deraadt@ kettenis@
|
|
[auth-options.c]
spelling in error message. ok djm kettenis
|
|
[key.c key.h ssh-keygen.c]
also print certificate type (user or host) for ssh-keygen -L
ok djm kettenis
|
|
[ssh-keygen.1]
fix a formatting error (args need quoted); noted by stevesk
|
|
[ssh-keygen.1]
Certificates are named *-cert.pub, not *_cert.pub; committing a diff
from stevesk@ ok me
|
|
[clientloop.c]
protocol conformance fix: send language tag when disconnecting normally;
spotted by 1.41421 AT gmail.com, ok markus@ deraadt@
|
|
[servconf.c]
do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths
free() (not xfree()) the buffer returned by getcwd()
|
|
[servconf.c]
unbreak AuthorizedKeys option with a $HOME-relative path; reported by
vinschen AT redhat.com, ok dtucker@
|
|
[auth2-pubkey.c]
correct certificate logging and make it more consistent between
authorized_keys and TrustedCAKeys; ok markus@
|
|
[ssh-keygen.1]
typos; from Ross Richardson
closes prs 6334 and 6335
|
|
[ssh-keygen.1]
sort the list of constraints (to -O); ok djm
|
|
ssh-pkcs11-helper to repair static builds (we do the same for
ssh-keyscan). Reported by felix-mindrot AT fefe.de
|
|
compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot
AT fefe.de
|
|
on a Cygwin installation. Patch from Corinna Vinschen.
|
|
Patch from Corinna Vinschen.
|
|
make $(datadir)
|
|
report by imorgan AT nas.nasa.gov
|
|
so setting it in CFLAGS correctly skips IPv6 tests.
|
|
[ssh-keygen.1]
document permit-agent-forwarding certificate constraint; patch from
stevesk@
|