summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-12-16upstream: adapt to ssh-sk-client changedjm@openbsd.org
OpenBSD-Regress-ID: 40481999a5928d635ab2e5b029e8239c112005ea
2019-12-16upstream: it's no longer possible to disable privilege separationdjm@openbsd.org
in sshd, so don't double the tests' work by trying both off/on OpenBSD-Regress-ID: d366665466dbd09e9b707305da884be3e7619c68
2019-12-16upstream: don't treat HostKeyAgent=none as a path either; avoidsdjm@openbsd.org
spurious warnings from the cfgparse regress test OpenBSD-Commit-ID: ba49ea7a5c92b8a16cb9c2e975dbb163853afc54
2019-12-16upstream: do not attempt to find an absolute path for sshd_configdjm@openbsd.org
SecurityKeyProvider=internal - unbreaks cfgparse regress test OpenBSD-Commit-ID: d2ddcf525c0dc3c8339522360c10b3c70f1fd641
2019-12-16upstream: allow ssh-keyscan to find security key hostkeysdjm@openbsd.org
OpenBSD-Commit-ID: 1fe822a7f714df19a7e7184e3a3bbfbf546811d3
2019-12-16upstream: allow security keys to act as host keys as well as userdjm@openbsd.org
keys. Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk. ok markus@ OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
2019-12-16Allow clock_nanosleep_time64 in seccomp sandbox.Darren Tucker
Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com.
2019-12-15Put SK ECDSA bits inside ifdef OPENSSL_HAS_ECC.Darren Tucker
Fixes build when linking against OpenSSLs built with no-ec.
2019-12-14remove a bunch of ENABLE_SK #ifdefsDamien Miller
The ssh-sk-helper client API gives us a nice place to disable security key support when it is wasn't enabled at compile time, so we don't need to check everywere. Also, verification of security key signatures can remain enabled all the time - it has no additional dependencies. So sshd can accept security key pubkeys in authorized_keys, etc regardless of the host's support for dlopen, etc.
2019-12-14ssh-sk-client.c needs includes.hDamien Miller
2019-12-14only link ssh-sk-helper against libfido2Damien Miller
2019-12-14adapt Makefile to ssh-sk-client everywhereDamien Miller
2019-12-14fixupDamien Miller
2019-12-14upstream: actually commit the ssh-sk-helper client code; ok markusdjm@openbsd.org
OpenBSD-Commit-ID: fd2ea776a5bbbf4d452989d3c3054cf25a5e0589
2019-12-14upstream: perform security key enrollment via ssh-sk-helper too.djm@openbsd.org
This means that ssh-keygen no longer needs to link against ssh-sk-helper, and only ssh-sk-helper needs libfido2 and /dev/uhid* access; feedback & ok markus@ OpenBSD-Commit-ID: 9464233fab95708d2ff059f8bee29c0d1f270800
2019-12-14upstream: allow sshbuf_put_stringb(buf, NULL); ok markus@djm@openbsd.org
OpenBSD-Commit-ID: 91482c1ada9adb283165d48dafbb88ae91c657bd
2019-12-14upstream: use ssh-sk-helper for all security key signing operationsdjm@openbsd.org
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid* requested by, feedback and ok markus@ OpenBSD-Commit-ID: 1abcd3aea9a7460eccfbf8ca154cdfa62f1dc93f
2019-12-14upstream: add a note about the 'extensions' field in the signeddjm@openbsd.org
object OpenBSD-Commit-ID: 67c01e0565b258e0818c1ccfe1f1aeaf9a0d4c7b
2019-12-11upstream: some more corrections for documentation problems spotteddjm@openbsd.org
by Ron Frederick document certifiate private key format correct flags type for sk-ssh-ed25519@openssh.com keys OpenBSD-Commit-ID: fc4e9a1ed7f9f7f9dd83e2e2c59327912e933e74
2019-12-11upstream: loading security keys into ssh-agent used the extensiondjm@openbsd.org
constraint "sk-provider@openssh.com", not "sk@openssh.com"; spotted by Ron Frederick OpenBSD-Commit-ID: dbfba09edbe023abadd5f59c1492df9073b0e51d
2019-12-11upstream: add security key types to list of keys allowed to act asdjm@openbsd.org
CAs; spotted by Ron Frederick OpenBSD-Commit-ID: 9bb0dfff927b4f7aa70679f983f84c69d45656c3
2019-12-11upstream: when acting as a CA and using a security key as the CAdjm@openbsd.org
key, remind the user to touch they key to authorise the signature. OpenBSD-Commit-ID: fe58733edd367362f9766b526a8b56827cc439c1
2019-12-11upstream: chop some unnecessary and confusing verbiage from thedjm@openbsd.org
security key protocol description; feedback from Ron Frederick OpenBSD-Commit-ID: 048c9483027fbf9c995e5a51b3ac502989085a42
2019-12-11upstream: fix setting of $SSH_ASKPASS_PROMPT - it shouldn't be setdjm@openbsd.org
when asking passphrases, only when confirming the use of a key (i.e. for ssh-agent keys added with "ssh-add -c keyfile") OpenBSD-Commit-ID: 6643c82960d9427d5972eb702c917b3b838ecf89
2019-12-11upstream: bring the __func__djm@openbsd.org
OpenBSD-Commit-ID: 71a3a45b0fe1b8f680ff95cf264aa81f7abbff67
2019-12-11upstream: tweak the Nd lines for a bit of consistency; ok markusjmc@openbsd.org
OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
2019-12-11Check if memmem is declared in system headers.Darren Tucker
If the system (or one of the dependencies) implements memmem but does not define the header, we would not declare it either resulting in compiler warnings. Check for declaration explicitly. bz#3102.
2019-12-11Sort depends.Darren Tucker
2019-12-11Sort .depend when rebuilding.Darren Tucker
This makes diffs more stable between makedepend implementations.
2019-12-11Update depend to include sk files.Darren Tucker
2019-12-09Describe how to build libcrypto as PIC.Darren Tucker
While there, move the OpenSSL 1.1.0g caveat closer to the other version information.
2019-12-09Recommend running LibreSSL or OpenSSL self-tests.Darren Tucker
2019-12-06Wrap ECC specific bits in ifdef.Darren Tucker
Fixes tests when built against an OpenSSL configured with no-ec.
2019-11-29Wrap sha2.h include in ifdef.Darren Tucker
Fixes build --without-openssl on at least Fedora.
2019-11-29compile sk-dummy.so with no-PIE version of LDFLAGSDamien Miller
This lets it pick up the -L path to libcrypto for example.
2019-11-29includes.h for sk-dummy.c, dummyDamien Miller
2019-11-29(yet) another x-platform fix for sk-dummy.soDamien Miller
Check for -fPIC support from compiler Compile libopenbsd-compat -fPIC Don't mix -fPIE and -fPIC when compiling
2019-11-29needs includes.h for WITH_OPENSSLDamien Miller
2019-11-29another attempt at sk-dummy.so working x-platformDamien Miller
include a fatal() implementation to satisfy libopenbsd-compat clean up .lo and .so files .gitignore .lo and .so files
2019-11-29upstream: lots of dependencies go away here with ed25519 no longerdjm@openbsd.org
needing the ssh_digest API. OpenBSD-Regress-ID: 785847ec78cb580d141e29abce351a436d6b5d49
2019-11-29upstream: perform hashing directly in crypto_hash_sha512() usingdjm@openbsd.org
libcrypto or libc SHA512 functions rather than calling ssh_digest_memory(); avoids many dependencies on ssh code that complicate standalone use of ed25519, as we want to do in sk-dummy.so OpenBSD-Commit-ID: 5a3c37593d3ba7add037b587cec44aaea088496d
2019-11-29upstream: improve the text for -A a little; input from naddy andjmc@openbsd.org
djm OpenBSD-Commit-ID: f9cdfb1d6dbb9887c4bf3bb25f9c7a94294c988d
2019-11-29upstream: reshuffle the text to read better; input from naddy,jmc@openbsd.org
djmc, and dtucker OpenBSD-Commit-ID: a0b2aca2b67614dda3d6618ea097bf0610c35013
2019-11-28$< doesn't work as` I thought; explicily list objsDamien Miller
2019-11-28upstream: tweak wordingdjm@openbsd.org
OpenBSD-Commit-ID: bd002ca1599b71331faca735ff5f6de29e32222e
2019-11-28missing .SUFFIXES line makes make sadDamien Miller
2019-11-28(hopefully) fix out of tree builds of sk-dummy.soDamien Miller
2019-11-28upstream: remove stray semicolon after closing brace of function;djm@openbsd.org
from Michael Forney OpenBSD-Commit-ID: fda95acb799bb160d15e205ee126117cf33da3a7
2019-11-28upstream: Revert previous commit. The channels code still uses intdtucker@openbsd.org
in many places for channel ids so the INT_MAX check still makes sense. OpenBSD-Commit-ID: 532e4b644791b826956c3c61d6ac6da39bac84bf
2019-11-27wire sk-dummy.so into test suiteDamien Miller