summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2010-03-01 - (djm) [auth.c] On Cygwin, refuse usernames that have differences inDamien Miller
case from that matched in the system password database. On this platform, passwords are stored case-insensitively, but sshd requires exact case matching for Match blocks in sshd_config(5). Based on a patch from vinschen AT redhat.com.
2010-02-28 - (djm) [openbsd-compat/bsd-cygwin_util.c] Reduce the set of environmentDamien Miller
variables copied into sshd child processes. From vinschen AT redhat.com
2010-02-28- (djm) [ssh-pkcs11-helper.c ] Ensure RNG is initialised and seededDamien Miller
2010-02-27 - djm@cvs.openbsd.org 2010/02/26 20:33:21Damien Miller
[Makefile regress/cert-hostkey.sh regress/cert-userkey.sh] regression tests for certified keys
2010-02-27 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/02/26 20:29:54 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] [sshconnect2.c sshd.8 sshd.c sshd_config.5] Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as sh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
2010-02-24contrib/caldera/openssh.specDamien Miller
contrib/redhat/openssh.spec contrib/suse/openssh.spec
2010-02-24 - (djm) [Makefile.in ssh-pkcs11-helper.8] Add manpage for PKCS#11 helperDamien Miller
2010-02-24 - dtucker@cvs.openbsd.org 2009/11/09 04:20:04Damien Miller
[regress/Makefile keygen-convert.sh] add regression test for ssh-keygen pubkey conversions
2010-02-24 - markus@cvs.openbsd.org 2010/02/08 10:52:47Damien Miller
[regress/agent-pkcs11.sh] test for PKCS#11 support (currently disabled)
2010-02-24 - djm@cvs.openbsd.org 2010/02/24 06:21:56Damien Miller
[regress/test-exec.sh] wait for sshd to fully stop in cleanup() function; avoids races in tests that do multiple start_sshd/cleanup cycles; "I hate pidfiles" deraadt@
2010-02-24 - djm@cvs.openbsd.org 2010/02/09 06:29:02Damien Miller
[regress/Makefile] turn on all the malloc(3) checking options when running regression tests. this has caught a few bugs for me in the past; ok dtucker@
2010-02-24 - djm@cvs.openbsd.org 2010/02/09 04:57:36Damien Miller
[regress/addrmatch.sh] clean up droppings
2010-02-24 - dtucker@cvs.openbsd.org 2010/01/11 02:53:44Damien Miller
[regress/forwarding.sh] regress test for stdio forwarding
2010-02-24 - dtucker@cvs.openbsd.org 2009/11/09 04:20:04Damien Miller
[regress/Makefile] add regression test for ssh-keygen pubkey conversions
2010-02-24 - djm@cvs.openbsd.org 2010/02/11 20:37:47Damien Miller
[pathnames.h] correct comment
2010-02-24 - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]Damien Miller
[ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable
2010-02-12- (djm) [configure.ac] Enable PKCS#11 support only when we find a workingDamien Miller
dlopen()
2010-02-12 - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]Damien Miller
Use ssh_get_progname to fill __progname
2010-02-12 - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]Damien Miller
Make it compile on OSX
2010-02-12 - (djm) [INSTALL Makefile.in README.smartcard configure.ac scard-opensc.c]Damien Miller
[scard.c scard.h pkcs11.h scard/Makefile.in scard/Ssh.bin.uu scard/Ssh.java] Remove obsolete smartcard support
2010-02-12 - jmc@cvs.openbsd.org 2010/02/11 13:23:29Damien Miller
[ssh.1] libarary -> library;
2010-02-12 - markus@cvs.openbsd.org 2010/02/10 23:20:38Damien Miller
[ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5] pkcs#11 is no longer optional; improve wording; ok jmc@
2010-02-12 - djm@cvs.openbsd.org 2010/02/09 06:18:46Damien Miller
[auth.c] unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
2010-02-12 - djm@cvs.openbsd.org 2010/02/09 03:56:28Damien Miller
[buffer.c buffer.h] constify the arguments to buffer_len, buffer_ptr and buffer_dump
2010-02-12 - djm@cvs.openbsd.org 2010/02/09 00:50:59Damien Miller
[ssh-keygen.c] fix -Wall
2010-02-12 - djm@cvs.openbsd.org 2010/02/09 00:50:36Damien Miller
[ssh-agent.c] fallout from PKCS#11: unbreak -D
2010-02-12 - jmc@cvs.openbsd.org 2010/02/08 22:03:05Damien Miller
[ssh-add.1 ssh-keygen.1 ssh.1 ssh.c] tweak previous; ok markus
2010-02-12 - markus@cvs.openbsd.org 2010/02/08 10:50:20Damien Miller
[pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c] [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5] replace our obsolete smartcard code with PKCS#11. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev `
2010-02-12 - djm@cvs.openbsd.org 2010/02/02 22:49:34Damien Miller
[bufaux.c] make buffer_get_string_ret() really non-fatal in all cases (it was using buffer_get_int(), which could fatal() on buffer empty); ok markus dtucker
2010-02-10 - (djm) add -lselinux to LIBS before calling AC_CHECK_FUNCS forDamien Miller
getseuserbyname; patch from calebcase AT gmail.com via cjwatson AT debian.org
2010-02-10This should have gone in with the multiplexing merge, but I dropped itDamien Miller
at the time.
2010-02-02 - djm@cvs.openbsd.org 2010/01/30 21:12:08Damien Miller
[channels.c] fake local addr:port when stdio fowarding as some servers (Tectia at least) validate that they are well-formed; reported by imorgan AT nas.nasa.gov ok dtucker
2010-02-02 - djm@cvs.openbsd.org 2010/01/30 21:08:33Damien Miller
[sshd.8] debug output goes to stderr, not "the system log"; ok markus dtucker
2010-01-30 - djm@cvs.openbsd.org 2010/01/30 02:54:53Damien Miller
[mux.c] don't mark channel as read failed if it is already closing; suppresses harmless error messages when connecting to SSH.COM Tectia server report by imorgan AT nas.nasa.gov
2010-01-30 - djm@cvs.openbsd.org 2010/01/29 20:16:17Damien Miller
[mux.c] kill correct channel (was killing already-dead mux channel, not its session channel)
2010-01-30 - djm@cvs.openbsd.org 2010/01/29 00:20:41Damien Miller
[sshd.c] set FD_CLOEXEC on sock_in/sock_out; bz#1706 from jchadima AT redhat.com ok dtucker@
2010-01-30 - djm@cvs.openbsd.org 2010/01/28 00:21:18Damien Miller
[clientloop.c] downgrade an error() to a debug() - this particular case can be hit in normal operation for certain sequences of mux slave vs session closure and is harmless
2010-01-29 - (dtucker) [openbsd-compat/openssl-compat.c] Bug #1707: Call OPENSSL_config()Darren Tucker
after registering the hardware engines, which causes the openssl.cnf file to be processed. See OpenSSL's man page for OPENSSL_config(3) for details. Patch from Solomon Peachy, ok djm@.
2010-01-28 - djm@cvs.openbsd.org 2010/01/27 19:21:39Damien Miller
[sftp.c] add missing "p" flag to getopt optstring; bz#1704 from imorgan AT nas.nasa.gov
2010-01-28 - djm@cvs.openbsd.org 2010/01/27 13:26:17Damien Miller
[mux.c] fix bug introduced in mux rewrite: In a mux master, when a socket to a mux slave closes before its server session (as may occur when the slave has been signalled), gracefully close the server session rather than deleting its channel immediately. A server may have more messages on that channel to send (e.g. an exit message) that will fatal() the client if they are sent to a channel that has been prematurely deleted. spotted by imorgan AT nas.nasa.gov
2010-01-28 - djm@cvs.openbsd.org 2010/01/26 02:15:20Damien Miller
[mux.c] -Wuninitialized and remove a // comment; from portable (Id sync only)
2010-01-26 - djm@cvs.openbsd.org 2010/01/26 01:28:35Damien Miller
[channels.c channels.h clientloop.c clientloop.h mux.c nchan.c ssh.c] rewrite ssh(1) multiplexing code to a more sensible protocol. The new multiplexing code uses channels for the listener and accepted control sockets to make the mux master non-blocking, so no stalls when processing messages from a slave. avoid use of fatal() in mux master protocol parsing so an errant slave process cannot take down a running master. implement requesting of port-forwards over multiplexed sessions. Any port forwards requested by the slave are added to those the master has established. add support for stdio forwarding ("ssh -W host:port ...") in mux slaves. document master/slave mux protocol so that other tools can use it to control a running ssh(1). Note: there are no guarantees that this protocol won't be incompatibly changed (though it is versioned). feedback Salvador Fandino, dtucker@ channel changes ok markus@
2010-01-26 - dtucker@cvs.openbsd.org 2010/01/18 01:50:27Damien Miller
[roaming_client.c] s/long long unsigned/unsigned long long/, from tim via portable (Id sync only, change already in portable)
2010-01-26 - tedu@cvs.openbsd.org 2010/01/17 21:49:09Damien Miller
[ssh-agent.1] Correct and clarify ssh-add's password asking behavior. Improved text dtucker and ok jmc
2010-01-22 - (tim) [configure.ac] Due to constraints in Windows Sockets in terms ofTim Rice
socket inheritance, reduce the default SO_RCVBUF/SO_SNDBUF buffer size in Cygwin to 65535. Patch from Corinna Vinschen.
2010-01-17Reword comment in last commit for additional clearity.Tim Rice
2010-01-17 - (tim) [configure.ac] Use the C99-conforming functions snprintf() andTim Rice
vsnprintf() named _xsnprintf() and _xvsnprintf() on SVR5 systems.
2010-01-17 - (tim) [configure.ac] OpenServer 5 needs BROKEN_GETADDRINFO too.Tim Rice
2010-01-17Oops, forgot to document second change to roaming_client.cTim Rice
s/long long unsigned/unsigned long long/ to keep USL compilers happy.
2010-01-16 - (tim) [roaming_client.c] Use of <sys/queue.h> is not really portable soTim Rice
we use "openbsd-compat/sys-queue.h"