summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2010-05-10 - djm@cvs.openbsd.org 2010/05/07 11:30:30Damien Miller
[auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c] [key.c servconf.c servconf.h sshd.8 sshd_config.5] add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@
2010-05-10 - dtucker@cvs.openbsd.org 2010/05/05 04:22:09Damien Miller
[sftp.c] restore mput and mget which got lost in the tab-completion changes. found by Kenneth Whitaker, ok djm@
2010-05-10 - djm@cvs.openbsd.org 2010/05/01 02:50:50Damien Miller
[PROTOCOL.certkeys] typo; jmeltzer@
2010-05-10 - djm@cvs.openbsd.org 2010/04/26 22:28:24Damien Miller
[sshconnect2.c] bz#1502: authctxt.success is declared as an int, but passed by reference to function that accepts sig_atomic_t*. Convert it to the latter; ok markus@ dtucker@
2010-05-10 - djm@cvs.openbsd.org 2010/04/23 22:48:31Damien Miller
[ssh-keygen.c] refuse to generate keys longer than OPENSSL_[RD]SA_MAX_MODULUS_BITS, since we would refuse to use them anyway. bz#1516; ok dtucker@
2010-05-10 - djm@cvs.openbsd.org 2010/04/23 22:42:05Damien Miller
[session.c] set stderr to /dev/null for subsystems rather than just closing it. avoids hangs if a subsystem or shell initialisation writes to stderr. bz#1750; ok markus@
2010-05-10 - djm@cvs.openbsd.org 2010/04/23 22:27:38Damien Miller
[mux.c] set "detach_close" flag when registering channel cleanup callbacks. This causes the channel to close normally when its fds close and hangs when terminating a mux slave using ~. bz#1758; ok markus@
2010-05-10 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/04/23 01:47:41 [ssh-keygen.c] bz#1740: display a more helpful error message when $HOME is inaccessible while trying to create .ssh directory. Based on patch from jchadima AT redhat.com; ok dtucker@
2010-04-23 - (dtucker) [configure.ac] Bug #1756: Check for the existence of a lib64 dirDarren Tucker
in the openssl install directory (some newer openssl versions do this on at least some amd64 platforms).
2010-04-18 - (dtucker) [contrib/aix/buildbff.sh] Fix creation of ssh_prng_cmds.defaultDarren Tucker
file.
2010-04-18 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/04/16 01:58:45 [regress/cert-hostkey.sh regress/cert-userkey.sh] regression tests for v01 certificate format includes interop tests for v00 certs
2010-04-18 - djm@cvs.openbsd.org 2010/04/16 21:14:27Damien Miller
[sshconnect.c] oops, %r => remote username, not %u
2010-04-18 - jmc@cvs.openbsd.org 2010/04/16 06:47:04Damien Miller
[ssh-keygen.1 ssh-keygen.c] tweak previous; ok djm
2010-04-18 - OpenBSD CVS SyncDamien Miller
- jmc@cvs.openbsd.org 2010/04/16 06:45:01 [ssh_config.5] tweak previous; ok djm
2010-04-16 - djm@cvs.openbsd.org 2010/04/16 01:47:26Damien Miller
[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c] [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c] [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c] [sshconnect.c sshconnect2.c sshd.c] revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes: move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash Rename "constraints" field to "critical options" Add a new non-critical "extensions" field Add a serial number The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) ok markus@
2010-04-16 - markus@cvs.openbsd.org 2010/04/15 20:32:55Damien Miller
[ssh-pkcs11.c] retry lookup for private key if there's no matching key with CKA_SIGN attribute enabled; this fixes fixes MuscleCard support (bugzilla #1736) ok djm@
2010-04-16 - djm@cvs.openbsd.org 2010/04/14 22:27:42Damien Miller
[ssh_config.5 sshconnect.c] expand %r => remote username in ssh_config:ProxyCommand; ok deraadt markus
2010-04-16 - djm@cvs.openbsd.org 2010/04/10 05:48:16Damien Miller
[mux.c] fix NULL dereference; from matthew.haub AT alumni.adelaide.edu.au
2010-04-16 - djm@cvs.openbsd.org 2010/04/10 02:10:56Damien Miller
[sshconnect2.c] show the key type that we are offering in debug(), helps distinguish between certs and plain keys as the path to the private key is usually the same.
2010-04-16 - djm@cvs.openbsd.org 2010/04/10 02:08:44Damien Miller
[clientloop.c] bz#1698: kill channel when pty allocation requests fail. Fixed stuck client if the server refuses pty allocation. ok dtucker@ "think so" markus@
2010-04-16 - djm@cvs.openbsd.org 2010/04/10 00:04:30Damien Miller
[sshconnect.c] fix terminology: we didn't find a certificate in known_hosts, we found a CA key
2010-04-16 - djm@cvs.openbsd.org 2010/04/10 00:00:16Damien Miller
[ssh.c] bz#1746 - suppress spurious tty warning when using -O and stdin is not a tty; ok dtucker@ markus@
2010-04-16 - jmc@cvs.openbsd.org 2010/03/27 14:26:55Damien Miller
[ssh_config.5] tweak previous; ok dtucker
2010-04-16 - jmc@cvs.openbsd.org 2010/03/26 06:54:36Damien Miller
[ssh.1] tweak previous;
2010-04-16 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/03/26 03:13:17 [bufaux.c] allow buffer_get_int_ret/buffer_get_int64_ret to take a NULL pointer argument to allow skipping past values in a buffer
2010-04-16openssh-5.5p1 markerDamien Miller
2010-04-10 - (dtucker) [configure.ac] Put the check for the existence of getaddrinfoDarren Tucker
back so we disable the IPv6 tests if we don't have it.
2010-04-09 - (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732: enableDarren Tucker
utmpx support on FreeBSD where possible. Patch from Ed Schouten, ok djm@
2010-04-09 - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if weDarren Tucker
have it and the path is not provided to --with-libedit. Based on a patch from Iain Morgan.
2010-04-09 - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrongDarren Tucker
ones. Based on a patch from Roumen Petrov.
2010-03-26 - dtucker@cvs.openbsd.org 2010/03/26 01:06:13Darren Tucker
[ssh_config.5] Reformat default value of PreferredAuthentications entry (current formatting implies ", " is acceptable as a separator, which it's not. ok djm@
2010-03-26 - djm@cvs.openbsd.org 2010/03/26 00:26:58Damien Miller
[ssh.1] mention that -S none disables connection sharing; from Colin Watson
2010-03-26 - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys;Damien Miller
bz#1723 patch from Adeodato Simó via Colin Watson; ok dtucker@
2010-03-26 - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 usingDarren Tucker
pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold).
2010-03-26 - (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721Damien Miller
ok dtucker@
2010-03-26 - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms -Damien Miller
set up SELinux execution context before chroot() call. From Russell Coker via Colin watson; bz#1726 ok dtucker@
2010-03-26 - djm@cvs.openbsd.org 2010/03/25 23:38:28Damien Miller
[servconf.c] from portable: getcwd(NULL, 0) doesn't work on all platforms, so use a stack buffer; ok dtucker@
2010-03-26 - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originallyDarren Tucker
by Ingo Weinhold via Scott McCreary, ok djm@
2010-03-26 - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detectionDamien Miller
for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson
2010-03-24 - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directoryDarren Tucker
containing the services file explicitely case-insensitive. This allows to tweak the Windows services file reliably. Patch from vinschen at redhat.
2010-03-22 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Crank version numbers
2010-03-22 - djm@cvs.openbsd.org 2010/03/16 16:36:49Damien Miller
[version.h] crank version to openssh-5.5 since we have a few fixes since 5.4; requested deraadt@ kettenis@
2010-03-22 - stevesk@cvs.openbsd.org 2010/03/16 15:46:52Damien Miller
[auth-options.c] spelling in error message. ok djm kettenis
2010-03-22 - stevesk@cvs.openbsd.org 2010/03/15 19:40:02Damien Miller
[key.c key.h ssh-keygen.c] also print certificate type (user or host) for ssh-keygen -L ok djm kettenis
2010-03-22 - jmc@cvs.openbsd.org 2010/03/13 23:38:13Damien Miller
[ssh-keygen.1] fix a formatting error (args need quoted); noted by stevesk
2010-03-22 - djm@cvs.openbsd.org 2010/03/13 21:45:46Damien Miller
[ssh-keygen.1] Certificates are named *-cert.pub, not *_cert.pub; committing a diff from stevesk@ ok me
2010-03-22 - djm@cvs.openbsd.org 2010/03/13 21:10:38Damien Miller
[clientloop.c] protocol conformance fix: send language tag when disconnecting normally; spotted by 1.41421 AT gmail.com, ok markus@ deraadt@
2010-03-22 - markus@cvs.openbsd.org 2010/03/12 11:37:40Damien Miller
[servconf.c] do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths free() (not xfree()) the buffer returned by getcwd()
2010-03-22 - djm@cvs.openbsd.org 2010/03/12 01:06:25Damien Miller
[servconf.c] unbreak AuthorizedKeys option with a $HOME-relative path; reported by vinschen AT redhat.com, ok dtucker@
2010-03-22 - djm@cvs.openbsd.org 2010/03/10 23:27:17Damien Miller
[auth2-pubkey.c] correct certificate logging and make it more consistent between authorized_keys and TrustedCAKeys; ok markus@