Age | Commit message (Collapse) | Author |
|
OpenBSD-Commit-ID: 10bbfb6607ebbb9a018dcd163f0964941adf58de
|
|
that the changes are validated by the existing trusted host key. Prompted by
espie@ feedback and ok markus@
OpenBSD-Commit-ID: b3d95f4a45f2692f4143b9e77bb241184dbb8dc5
|
|
Allow writing to disk the attestation certificate that is generated by
the FIDO token at key enrollment time. These certificates may be used
by an out-of-band workflow to prove that a particular key is held in
trustworthy hardware.
Allow passing in a challenge that will be sent to the card during
key enrollment. These are needed to build an attestation workflow
that resists replay attacks.
ok markus@
OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
|
|
me" matthieu@
OpenBSD-Commit-ID: 60d7b5eb91accf935ed9852650a826d86db2ddc7
|
|
|
|
based on patch by veegish AT cyberstorm.mu
OpenBSD-Commit-ID: 9902bf4fbb4ea51de2193ac2b1d965bc5d99c425
|
|
djm@ sthen@
OpenBSD-Commit-ID: e5bcc45eadb78896637d4143d289f1e42c2ef5d7
|
|
OpenBSD-Regress-ID: 075a899a01bbf7781d38bf0b33d8366faaf6d3c0
|
|
This allows us to always define it if needed not just if we also
define the type ourself.
|
|
OpenBSD-Regress-ID: 075a899a01bbf7781d38bf0b33d8366faaf6d3c0
|
|
|
|
|
|
key types - just ignore them. spotted by and ok dtucker@
OpenBSD-Commit-ID: 91769e443f6197c983932fc8ae9d39948727d473
|
|
files to debug() as it was intended to be; spotted by dtucker@
OpenBSD-Commit-ID: 18cfea382cb52f2da761be524e309cc3d5354ef9
|
|
(e.g. host key confirmation) and not just password prompts.
OpenBSD-Commit-ID: 97b001883d89d3fb1620d2e6b747c14a26aa9818
|
|
sshbuf-io.c doesn't need SSHBUF_INTERNAL set
OpenBSD-Commit-ID: 27a724d2e0b2619c1a1490f44093bbd73580d9e6
|
|
|
|
making ssh-keygen be solely responsible for printing the error message and
convertint some more common error responses from the middleware to a useful
ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c
and just include it.
feedback & ok markus@
OpenBSD-Commit-ID: a4a8ffa870d9a3e0cfd76544bcdeef5c9fb1f1bb
|
|
functions; feedback and ok markus@
OpenBSD-Commit-ID: dc09e5f1950b7acc91b8fdf8015347782d2ecd3d
|
|
we use; requested by markus@
OpenBSD-Commit-ID: 83a1f09810ffa3a96a55fbe32675b34ba739e56b
|
|
connection killing behaviour, rather than killing the connection after
sending the first liveness test probe (regardless of whether the client was
responsive) bz2627; ok markus
OpenBSD-Commit-ID: 5af79c35f4c9fa280643b6852f524bfcd9bccdaf
|
|
AllowGroups/DenyGroups; bz1690, ok markus@
OpenBSD-Commit-ID: 5637584ec30db9cf64822460f41b3e42c8f9facd
|
|
comment, add the key to the agent with the key's path as the comment. bz2564
OpenBSD-Commit-ID: 8dd8ca9340d7017631a27f4ed5358a4cfddec16f
|
|
OpenBSD-Commit-ID: a96f04d5e9c2ff760c6799579dc44f69b4ff431d
|
|
people found the wording confusing (bz#2560)
OpenBSD-Commit-ID: ac30896598694f07d498828690aecd424c496988
|
|
regards to known_hosts name privacy, it's not practical for this option to
offer any guarantee that hostnames cannot be recovered from a disclosed
known_hosts file (e.g. by brute force).
OpenBSD-Commit-ID: 13f1e3285f8acf7244e9770074296bcf446c6972
|
|
still confusing people, so add another comment explaining the special
handling of "localhost"; bz#3258
OpenBSD-Commit-ID: e6bf0f0fbf1c7092bf0dbd9c6eab105970b5b53a
|
|
translation; prompted by bz3099
OpenBSD-Commit-ID: 0dda8e54d566b29855e76bebf9cfecce573f5c23
|
|
|
|
> revision 1.217
> date: 2019/11/27 03:34:04; author: dtucker; state: Exp; lines: +5 -7; commitid: wkiMn49XJyjzoJIs;
> Make channel_id u_int32_t and remove unnecessary check and cast that were
> left over from the type conversion. Noted by t-hashida@amiya.co.jp in
> bz#3098, ok markus@ djm@
Darren was right the first time; ok dtucker@ "agreed" markus@
OpenBSD-Commit-ID: 641dd1b99a6bbd85b7160da462ae1be83432c7c8
|
|
multiple tests, and in -portable we use our own local copy to avoid
portability problems.
OpenBSD-Regress-ID: ceb78445fcaac317bec2fc51b3f0d9589048c114
|
|
Fixes link error when building against an OpenSSL that does not have
ECC.
|
|
since on very slow hosts the current delay is not sufficient and the test
will fail.
OpenBSD-Regress-ID: 6d90c7475d67ac3a95610b64af700629ece51a48
|
|
caught the problem caused by ssh.c rev 1.507 wherein Host and Hostname were
swapped. Prompted by beck@
OpenBSD-Regress-ID: d218500ae6aca4c479c27318fb5b09ebc00f7aae
|
|
markus@
OpenBSD-Commit-ID: f09cb3177f3a14c96428e14f347e976a8a531fee
|
|
known_hosts files are in use. When updating host keys, ssh will now search
subsequent known_hosts files, but will add new/changed host keys to the first
specified file only. bz#2738
ok markus@
OpenBSD-Commit-ID: 6ded6d878a03e57d5aa20bab9c31f92e929dbc6c
|
|
avoids malicious client from being able to cause agent to load arbitrary
libraries into ssh-sk-helper.
reported by puck AT puckipedia.com; ok markus
OpenBSD-Commit-ID: 1086643df1b7eee4870825c687cf0c26a6145d1c
|
|
Extract the key label or X.509 subject string when PKCS#11 keys
are retrieved from the token and plumb this through to places where
it may be used as a comment.
based on https://github.com/openssh/openssh-portable/pull/138
by Danielle Church
feedback and ok markus@
OpenBSD-Commit-ID: cae1fda10d9e10971dea29520916e27cfec7ca35
|
|
frequently used to distinguish between multiple independent instances of the
server. New proctitle looks like this:
$ pgrep -lf sshd
12844 sshd: /usr/sbin/sshd -f /etc/ssh/sshd_config [listener] 0 of 10-100 startups
requested by sthen@ and aja@; ok aja@
OpenBSD-Commit-ID: cf235a561c655a3524a82003cf7244ecb48ccc1e
|
|
(reallocating as necessary). ok aja@ as part of a larger diff
OpenBSD-Commit-ID: 30796b50d330b3e0e201747fe40cdf9aa70a77f9
|
|
emit matched principals one per line to stdout rather than as comma-
separated and with a free-text preamble (easy confusion opportunity)
emit "not found" error to stderr
fix up argument testing for -Y operations and improve error message for
unsupported operations
OpenBSD-Commit-ID: 3d9c9a671ab07fc04a48f543edfa85eae77da69c
|
|
signature algorithms ok markus
OpenBSD-Commit-ID: da3481fca8c81e6951f319a86b7be67502237f57
|
|
a safe signature algorithm (rsa-sha-512) if not is explicitly specified by
the user; ok markus@
OpenBSD-Commit-ID: e05f638f0be6c0266e1d3d799716b461011e83a9
|
|
from Jakub Jelen ok markus@
OpenBSD-Commit-ID: a58edec8b9f07acab4b962a71a5125830d321b51
|
|
from Markus:
use "principals" instead of principal, as allowed_signers lines may list
multiple.
When the signing key is a certificate, emit only principals that match
the certificate principal list.
NB. the command -Y name changes: "find-principal" => "find-principals"
ok markus@
OpenBSD-Commit-ID: ab575946ff9a55624cd4e811bfd338bf3b1d0faf
|
|
OpenBSD-Regress-ID: 339d4cbae224bd8743ffad9c3afb0cf3cb66c357
|
|
optional.
OpenBSD-Regress-ID: 0af4fbc5168e62f89d0350de524bff1cb00e707a
|
|
OpenBSD-Commit-ID: d1d7a6553208bf439378fd1cf686a828aceb353a
|
|
(ie symlinks, where permissions are not relevant).
OpenBSD-Regress-ID: fb6cfc8b022becb62b2dcb99ed3f072b3326e501
|
|
|