summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2020-01-21upstream: a little more verbosity in sign_and_send_pubkey() debugdjm@openbsd.org
messages OpenBSD-Commit-ID: 6da47a0e6373f6683006f49bc2a516d197655508
2020-01-21upstream: one more replacement "(security) key" -> "(FIDO)naddy@openbsd.org
authenticator" OpenBSD-Commit-ID: 031bca03c1d1f878ab929facd561911f1bc68dfd
2020-01-21upstream: undo merge error and replace the term "security key"naddy@openbsd.org
again OpenBSD-Commit-ID: 341749062c089cc360a7877e9ee3a887aecde395
2020-01-21upstream: Document loading of resident keys from a FIDOnaddy@openbsd.org
authenticator. * Rename -O to -K to keep "-O option" available. * Document -K. * Trim usage() message down to synopsis, like all other commands. ok markus@ OpenBSD-Commit-ID: 015c2c4b28f8e19107adc80351b44b23bca4c78a
2020-01-21upstream: sync ssh-keygen.1 and ssh-keygen's usage() with eachnaddy@openbsd.org
other and reality ok markus@ OpenBSD-Commit-ID: cdf64454f2c3604c25977c944e5b6262a3bcce92
2020-01-21upstream: revise the fix for reversed arguments onnaddy@openbsd.org
expand_proxy_command() Always put 'host' before 'host_arg' for consistency. ok markus@ djm@ OpenBSD-Commit-ID: 1ba5b25472779f1b1957295fcc6907bb961472a3
2020-01-21upstream: pass the log-on-stderr flag and log level through todjm@openbsd.org
ssh-sk-helper, making debugging a bit easier. ok markus@ OpenBSD-Commit-ID: 2e7aea6bf5770d3f38b7c7bba891069256c5a49a
2020-01-21Wrap copy_environment_blacklist() in #ifdefDamien Miller
It's only needed for USE_PAM or HAVE_CYGWIN cases and will cause compiler warnings otherwise.
2020-01-21dependDamien Miller
2020-01-21Fix missing prototype warning for copy_environmentRuben Kerkhof
This function is only used in this file, and only on Cygwin, so make it static and hide it behind HAVE_CYGWIN. Prevents missing prototype warning.
2020-01-21configure.ac: fix ldns testRuben Kerkhof
When running ./configure --with-ldns, if ldns-config cannot be found, we add -Iyes/include to CPPFLAGS and -Lyes/lib to LDFLAGS. Fix that.
2020-01-21Make sshpam_password_change_required static.Ruben Kerkhof
sshpam_password_change_required is only used in auth-pam.c, so make it static to prevent a mising prototype warning.
2020-01-21sandbox-darwin.c: fix missing prototypes.Ruben Kerkhof
Include the right header just like the other sandbox files. Fixes missing prototype warnings for ssh_sandbox_* functions.
2020-01-20Fix a few warnings when on Mac OS X.Ruben Kerkhof
Include stdlib.h for calloc, malloc, free and setenv.
2020-01-20Fix building without openssl.Ruben Kerkhof
This fixes the following when there are no openssl headers on the system: ssh-ecdsa-sk.c:34:10: fatal error: 'openssl/bn.h' file not found
2020-01-16Add config.log to .gitignoreRuben Kerkhof
2020-01-16Fix typo in README.md, s/crytpo/crypto/Ruben Kerkhof
2020-01-15Wrap stdint.h in ifdef HAVE_STDINT_H.Darren Tucker
2020-01-14Wrap stdint.h inside HAVE_STDINT_H.Darren Tucker
2020-01-14Include compat header for definitions.Darren Tucker
2020-01-14Improve search for 'struct timespec'.Darren Tucker
Make struct timespec test consistent with existing timeval test. Include time.h for timespec in compat header where required.
2020-01-14Update depend to remove rmd160.h.Darren Tucker
2020-01-14Remove configure test & compat code for ripemd160.Darren Tucker
RIPEMD160 support was removed upstream in 2017, however we still had a configure test and compat code for it, so clean those up now.
2020-01-09upstream: fix reversed arguments on expand_proxy_command(); spotteddjm@openbsd.org
by anton@ OpenBSD-Commit-ID: db1c32478a01dfbc9c4db171de0f25907bea5775
2020-01-09upstream: put the fido options in a list, and tidy up the text ajmc@openbsd.org
little; ok djm OpenBSD-Commit-ID: 491ce15ae52a88b7a6a2b3b6708a14b4aacdeebb
2020-01-08Deny (non-fatal) ipc in preauth privsep child.Jeremy Drake
As noted in openssh/openssh-portable#149, i386 does not have have _NR_shmget etc. Instead, it has a single ipc syscall (see man 2 ipc, https://linux.die.net/man/2/ipc). Add this syscall, if present, to the list of syscalls that seccomp will deny non-fatally.
2020-01-08seccomp: Allow clock_gettime64() in sandbox.Khem Raj
This helps sshd accept connections on mips platforms with upcoming glibc ( 2.31 )
2020-01-06upstream: missing else in check_enroll_options()djm@openbsd.org
OpenBSD-Commit-ID: e058fb918fda56ddbbf0bee910101004cec421d4
2020-01-06upstream: fix error messagedjm@openbsd.org
OpenBSD-Commit-ID: 1eb52025658eb78ea6223181e552862198d3d505
2020-01-06upstream: adapt sk-dummy to SK API changesdjm@openbsd.org
also, make it pull prototypes directly from sk-api.c and #error if the expected version changes. This will make any future regress test breakage because of SK API changes much more apparent OpenBSD-Regress-ID: 79b07055de4feb988e31da71a89051ad5969829d
2020-01-06upstream: Extends the SK API to accept a set of key/value optionsdjm@openbsd.org
for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@ OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
2020-01-06upstream: fix CanonicalizeHostname, broken by rev 1.507beck@openbsd.org
Issue noticed and reported by Pierre-Olivier Martel <pom@apple.com> ok dtucker@ markus@ djm@ OpenBSD-Commit-ID: 749f3168ec520609c35b0c4e1984e5fa47f16094
2020-01-06Fix typo: 'you' -> 'your'.Darren Tucker
bz#3108 from jmckitrick@gmail.com.
2020-01-06Remove auth-skey.c.Darren Tucker
S/Key support was removed in OpenSSH 7.8 but this file was missed.
2020-01-04upstream: the download resident keys option is -K (upper) not -kjmc@openbsd.org
(lower); ok djm OpenBSD-Commit-ID: 71dc28a3e1fa7c553844abc508845bcf5766e091
2020-01-04upstream: what bozo decided to use 2020 as a future date in a regressdjm@openbsd.org
test? OpenBSD-Regress-ID: 3b953df5a7e14081ff6cf495d4e8d40e153cbc3a
2020-01-03upstream: implement recent SK API change to support resident keysdjm@openbsd.org
and PIN prompting in the dummy middleware that we use for the tests. Should fix breakage spotted by dtucker@ OpenBSD-Regress-ID: 379cf9eabfea57aaf7f3f59dafde59889566c484
2020-01-03upstream: Update keygen moduli screen test to match recent commanddtucker@openbsd.org
line option change to ssh-keygen(1). OpenBSD-Regress-ID: 744a72755004377e9669b662c13c6aa9ead8a0c3
2020-01-03upstream: ability to download FIDO2 resident keys from a token viadjm@openbsd.org
"ssh-keygen -K". This will save public/private keys into the current directory. This is handy if you move a token between hosts. feedback & ok markus@ OpenBSD-Commit-ID: d57c1f9802f7850f00a117a1d36682a6c6d10da6
2020-01-03upstream: add sshkey_save_public(), to save a public key; okdjm@openbsd.org
markus@ OpenBSD-Commit-ID: 5d6f96a966d10d7fa689ff9aa9e1d6767ad5a076
2020-01-03upstream: simplify the list for moduli options - no need forjmc@openbsd.org
-compact; OpenBSD-Commit-ID: 6492c72280482c6d072be46236b365cb359fc280
2020-01-02ssh-sk-null.cc needs extern "C" {}Damien Miller
2020-01-02add dummy ssh-sk API for linking with fuzzersDamien Miller
2019-12-30refresh dependDamien Miller
2019-12-30upstream: Remove the -x option currently used fordjm@openbsd.org
FIDO/U2F-specific key flags. Instead these flags may be specified via -O. ok markus@ OpenBSD-Commit-ID: f23ebde2a8a7e1bf860a51055a711cffb8c328c1
2019-12-30upstream: document SK API changes in PROTOCOL.u2fdjm@openbsd.org
ok markus@ OpenBSD-Commit-ID: 52622363c103a3c4d3d546050480ffe978a32186
2019-12-30upstream: translate and return error codes; retry on bad PINdjm@openbsd.org
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper. Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys. feedback and ok markus@ OpenBSD-Commit-ID: 9663c6a2bb7a0bc8deaccc6c30d9a2983b481620
2019-12-30upstream: improve some error messages; ok markus@djm@openbsd.org
OpenBSD-Commit-ID: 4ccd8ddabb8df4f995107dd3b7ea58220e93cb81
2019-12-30upstream: SK API and sk-helper error/PIN passingdjm@openbsd.org
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow. Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc. feedback and ok markus@ OpenBSD-Commit-ID: a1bd6b0a2421646919a0c139b8183ad76d28fb71
2019-12-30upstream: implement loading resident keys in ssh-adddjm@openbsd.org
"ssh-add -O" will load resident keys from a FIDO2 token and add them to a ssh-agent. feedback and ok markus@ OpenBSD-Commit-ID: 608104ae957a7d65cb84e0a3a26c8f60e0df3290