summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2008-06-14 - grunk@cvs.openbsd.org 2008/06/13 20:13:26Darren Tucker
[ssh.1] Explain the use of SSH fpr visualization using random art, and cite the original scientific paper inspiring that technique. Much help with English and nroff by jmc@, thanks.
2008-06-14 - dtucker@cvs.openbsd.org 2008/06/13 18:55:22Darren Tucker
[scp.c] Prevent -Wsign-compare warnings on LP64 systems. bz #1192, ok deraadt@
2008-06-14 - dtucker@cvs.openbsd.org 2008/06/13 17:21:20Darren Tucker
[mux.c] Friendlier error messages for mux fallback. ok djm@
2008-06-14 - dtucker@cvs.openbsd.org 2008/06/13 14:18:51Darren Tucker
[auth2-pubkey.c auth-rhosts.c] Include unistd.h for close(), prevents warnings in -portable
2008-06-14 - dtucker@cvs.openbsd.org 2008/06/13 13:56:59Darren Tucker
[monitor.c] Clear key options in the monitor on failed authentication, prevents applying additional restrictions to non-pubkey authentications in the case where pubkey fails but another method subsequently succeeds. bz #1472, found by Colin Watson, ok markus@ djm
2008-06-13 - deraadt@cvs.openbsd.org 2008/06/13 09:44:36Darren Tucker
[packet.c] compile on older gcc; no decl after code
2008-06-13 - (dtucker) [openbsd-compat/setenv.c] Make offsets size_t to preventDarren Tucker
compiler warnings on some platforms. Based on a discussion with otto@
2008-06-13 - djm@cvs.openbsd.org 2008/06/13 04:40:22Darren Tucker
[auth2-pubkey.c auth-rhosts.c] refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not regular files; report from Solar Designer via Colin Watson in bz#1471 ok dtucker@ deraadt@
2008-06-13 - dtucker@cvs.openbsd.org 2008/06/13 01:38:23Darren Tucker
[misc.c] upcast uid to long with matching %ld, prevents warnings in portable
2008-06-13 - (dtucker) [umac.c] STORE_UINT32_REVERSED and endian_convert are never usedDarren Tucker
on big endian machines, so ifdef them for little endian only to prevent unused function warnings.
2008-06-13 - (dtucker) [auth-sia.c] Bug #1241: support password expiry on Tru64 SIADarren Tucker
systems. Patch from R. Scott Bailey.
2008-06-13 - dtucker@cvs.openbsd.org 2008/06/13 00:51:47Darren Tucker
[mac.c] upcast another size_t to u_long to match format
2008-06-13 - dtucker@cvs.openbsd.org 2008/06/13 00:47:53Darren Tucker
[mux.c] upcast size_t to u_long to match format arg; ok djm@
2008-06-13 - (dtucker) [defines.h] Bug #1112: __dead is, well dead. Based on a patchDarren Tucker
from Todd Vierling.
2008-06-13 - djm@cvs.openbsd.org 2008/06/13 00:16:49Darren Tucker
[mux.c] fall back to creating a new TCP connection on most multiplexing errors (socket connect fail, invalid version, refused permittion, corrupted messages, etc.); bz #1329 ok dtucker@
2008-06-13 - dtucker@cvs.openbsd.org 2008/06/13 00:12:02Darren Tucker
[sftp.h log.h] replace __dead with __attribute__((noreturn)), makes things a little easier to port. Also, add it to sigdie(). ok djm@
2008-06-13 - ian@cvs.openbsd.org 2008/06/12 23:24:58Darren Tucker
[sshconnect.c] tweak wording in message, ok deraadt@ jmc@
2008-06-13 - grunk@cvs.openbsd.org 2008/06/12 22:03:36Darren Tucker
[key.c] add my copyright, ok djm@
2008-06-13 - grunk@cvs.openbsd.org 2008/06/12 21:14:46Darren Tucker
[ssh-keygen.c] make ssh-keygen -lf show the key type just as ssh-add -l would do it ok djm@ markus@
2008-06-13 - djm@cvs.openbsd.org 2008/06/12 21:06:25Darren Tucker
[clientloop.c] I was coalescing expected global request confirmation replies at the wrong end of the queue - fix; prompted by markus@
2008-06-13 - djm@cvs.openbsd.org 2008/06/12 20:47:04Darren Tucker
[sftp-client.c] print extension revisions for extensions that we understand
2008-06-13 - dtucker@cvs.openbsd.org 2008/06/12 20:38:28Darren Tucker
[sshd.c sshconnect.c packet.h misc.c misc.h packet.c] Make keepalive timeouts apply while waiting for a packet, particularly during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
2008-06-13 - jmc@cvs.openbsd.org 2008/06/12 19:10:09Darren Tucker
[ssh_config.5 ssh-keygen.1] tweak the ascii art text; ok grunk
2008-06-13 - (dtucker) [clientloop.c serverloop.c] channel_register_filter nowDarren Tucker
takes 2 more args. with djm@
2008-06-13 - dtucker@cvs.openbsd.org 2008/06/12 16:35:31Darren Tucker
[ssh_config.5 ssh.c] keyword expansion for localcommand. ok djm@
2008-06-13 - djm@cvs.openbsd.org 2008/06/12 15:19:17Darren Tucker
[clientloop.h channels.h clientloop.c channels.c mux.c] The multiplexing escape char handler commit last night introduced a small memory leak per session; plug it.
2008-06-13 - grunk@cvs.openbsd.org 2008/06/12 06:32:59Darren Tucker
[key.c] We already mark the start of the worm, now also mark the end of the worm in our random art drawings. ok djm@
2008-06-13 - grunk@cvs.openbsd.org 2008/06/12 05:42:46Darren Tucker
[key.c] supply the key type (rsa1, rsa, dsa) as a caption in the frame of the random art. while there, stress the fact that the field base should at least be 8 characters for the pictures to make sense. comment and ok djm@
2008-06-13 - djm@cvs.openbsd.org 2008/06/12 05:32:30Darren Tucker
[mux.c] some more TODO for me
2008-06-13 - djm@cvs.openbsd.org 2008/06/12 05:15:41Darren Tucker
[PROTOCOL] document tun@openssh.com forwarding method
2008-06-13 - djm@cvs.openbsd.org 2008/06/12 04:24:06Darren Tucker
[ssh.c] thal shalt not code past the eightieth column
2008-06-13 - djm@cvs.openbsd.org 2008/06/12 04:17:47Darren Tucker
[clientloop.c] thall shalt not code past the eightieth column
2008-06-13 - djm@cvs.openbsd.org 2008/06/12 04:06:00Darren Tucker
[clientloop.h ssh.c clientloop.c] maintain an ordered queue of outstanding global requests that we expect replies to, similar to the per-channel confirmation queue. Use this queue to verify success or failure for remote forward establishment in a race free way. ok dtucker@
2008-06-13 - djm@cvs.openbsd.org 2008/06/12 03:40:52Darren Tucker
[clientloop.h mux.c channels.c clientloop.c channels.h] Enable ~ escapes for multiplex slave sessions; give each channel its own escape state and hook the escape filters up to muxed channels. bz #1331 Mux slaves do not currently support the ~^Z and ~& escapes. NB. this change cranks the mux protocol version, so a new ssh mux client will not be able to connect to a running old ssh mux master. ok dtucker@
2008-06-13 - otto@cvs.openbsd.org 2008/06/12 00:13:13Darren Tucker
[key.c] use an odd number of rows and columns and a separate start marker, looks better; ok grunk@
2008-06-13 - grunk@cvs.openbsd.org 2008/06/12 00:13:55Darren Tucker
[sshconnect.c] Make ssh print the random art also when ssh'ing to a host using IP only. spotted by naddy@, ok and help djm@ dtucker@
2008-06-13 - dtucker@cvs.openbsd.org 2008/06/12 00:03:49Darren Tucker
[dns.c canohost.c sshconnect.c] Do not pass "0" strings as ports to getaddrinfo because the lookups can slow things down and we never use the service info anyway. bz #859, patch from YOSHIFUJI Hideaki and John Devitofranceschi. ok deraadt@ djm@ djm belives that the reason for the "0" strings is to ensure that it's not possible to call getaddrinfo with both host and port being NULL. In the case of canohost.c host is a local array. In the case of sshconnect.c, it's checked for null immediately before use. In dns.c it ultimately comes from ssh.c:main() and is guaranteed to be non-null but it's not obvious, so I added a warning message in case it is ever passed a null.
2008-06-13 - grunk@cvs.openbsd.org 2008/06/11 23:51:57Darren Tucker
[key.c] #define statements that are not atoms need braces around them, else they will cause trouble in some cases. Also do a computation of -1 once, and not in a loop several times. spotted by otto@
2008-06-13 - grunk@cvs.openbsd.org 2008/06/11 23:03:56Darren Tucker
[ssh_config.5] CheckHostIP set to ``fingerprint'' will display both hex and random art spotted by naddy@
2008-06-13 - otto@cvs.openbsd.org 2008/06/11 23:02:22Darren Tucker
[key.c] simpler way of computing the augmentations; ok grunk@
2008-06-13 - grunk@cvs.openbsd.org 2008/06/11 22:20:46Darren Tucker
[ssh-keygen.c ssh-keygen.1] ssh-keygen would write fingerprints to STDOUT, and random art to STDERR, that is not how it was envisioned. Also correct manpage saying that -v is needed along with -l for it to work. spotted by naddy@
2008-06-13 - grunk@cvs.openbsd.org 2008/06/11 21:38:25Darren Tucker
[ssh-keygen.c] ssh-keygen -lv -f /etc/ssh/ssh_host_rsa_key.pub would not display you the random art as intended, spotted by canacar@
2008-06-13 - grunk@cvs.openbsd.org 2008/06/11 21:01:35Darren Tucker
[ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c sshconnect.c] Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the graphical hash visualization schemes known as "random art", and by Dan Kaminsky's musings on the subject during a BlackOp talk at the 23C3 in Berlin. Scientific publication (original paper): "Hash Visualization: a New Technique to improve Real-World Security", Perrig A. and Song D., 1999, International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99) http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf The algorithm used here is a worm crawling over a discrete plane, leaving a trace (augmenting the field) everywhere it goes. Movement is taken from dgst_raw 2bit-wise. Bumping into walls makes the respective movement vector be ignored for this turn, thus switching to the other color of the chessboard. Graphs are not unambiguous for now, because circles in graphs can be walked in either direction. discussions with several people, help, corrections and ok markus@ djm@
2008-06-13 - jmc@cvs.openbsd.org 2008/06/11 07:30:37Darren Tucker
[sshd.8] kill trailing whitespace;
2008-06-12 - (djm) [channels.c configure.ac]Damien Miller
Do not set SO_REUSEADDR on wildcard X11 listeners (X11UseLocalhost=no) bz#1464; ok dtucker
2008-06-11 - (dtucker) [Makefile.in] Move addrmatch.o to libssh.a where it's needed now.Darren Tucker
2008-06-11 - dtucker@cvs.openbsd.org 2008/06/10 23:13:43Darren Tucker
[Makefile regress/key-options.sh] Add regress test for key options. ok djm@
2008-06-11 - dtucker@cvs.openbsd.org 2008/06/10 23:21:34Darren Tucker
[bufaux.c] Use '\0' for a nul byte rather than unadorned 0. ok djm@
2008-06-11 - djm@cvs.openbsd.org 2008/06/10 23:06:19Darren Tucker
[auth-options.c match.c servconf.c addrmatch.c sshd.8] support CIDR address matching in .ssh/authorized_keys from="..." stanzas ok and extensive testing dtucker@
2008-06-11 - djm@cvs.openbsd.org 2008/06/10 22:15:23Darren Tucker
[PROTOCOL ssh.c serverloop.c] Add a no-more-sessions@openssh.com global request extension that the client sends when it knows that it will never request another session (i.e. when session multiplexing is disabled). This allows a server to disallow further session requests and terminate the session. Why would a non-multiplexing client ever issue additional session requests? It could have been attacked with something like SSH'jack: http://www.storm.net.nz/projects/7 feedback & ok markus