summaryrefslogtreecommitdiff
path: root/Makefile.in
AgeCommit message (Collapse)Author
2020-02-21Install authorized_keys(5) as a symlink to sshd(8)Tomas Pospisek
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 Last-Update: 2013-09-14 Patch-Name: authorized-keys-man-symlink.patch
2020-02-21GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2020-02-21 Patch-Name: gssapi.patch
2020-01-26upstream: factor out reading/writing sshbufs to dedicateddjm@openbsd.org
functions; feedback and ok markus@ OpenBSD-Commit-ID: dc09e5f1950b7acc91b8fdf8015347782d2ecd3d
2019-12-14only link ssh-sk-helper against libfido2Damien Miller
2019-12-14adapt Makefile to ssh-sk-client everywhereDamien Miller
2019-12-11Sort .depend when rebuilding.Darren Tucker
This makes diffs more stable between makedepend implementations.
2019-11-29compile sk-dummy.so with no-PIE version of LDFLAGSDamien Miller
This lets it pick up the -L path to libcrypto for example.
2019-11-29(yet) another x-platform fix for sk-dummy.soDamien Miller
Check for -fPIC support from compiler Compile libopenbsd-compat -fPIC Don't mix -fPIE and -fPIC when compiling
2019-11-29another attempt at sk-dummy.so working x-platformDamien Miller
include a fatal() implementation to satisfy libopenbsd-compat clean up .lo and .so files .gitignore .lo and .so files
2019-11-29upstream: lots of dependencies go away here with ed25519 no longerdjm@openbsd.org
needing the ssh_digest API. OpenBSD-Regress-ID: 785847ec78cb580d141e29abce351a436d6b5d49
2019-11-28$< doesn't work as` I thought; explicily list objsDamien Miller
2019-11-28missing .SUFFIXES line makes make sadDamien Miller
2019-11-28(hopefully) fix out of tree builds of sk-dummy.soDamien Miller
2019-11-27wire sk-dummy.so into test suiteDamien Miller
2019-11-15correct object dependencyDamien Miller
2019-11-15upstream: directly support U2F/FIDO2 security keys in OpenSSH bydjm@openbsd.org
linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging. OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
2019-11-13upstream: implement ssh-ed25519-sk verification; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: 37906d93948a1e3d237c20e713d6ca8fbf7d13f6
2019-11-08upstream: Fill in missing man page bits for U2F security key support:naddy@openbsd.org
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable, and ssh-keygen's new -w and -x options. Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal substitutions. ok djm@ OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
2019-11-03Put sftp-realpath in libssh.aDarren Tucker
and remove it from the specific binary targets.
2019-11-01upstream: ssh-agent support for U2F/FIDO keysdjm@openbsd.org
feedback & ok markus@ OpenBSD-Commit-ID: bb544a44bc32e45d2ec8bf652db2046f38360acb
2019-11-01upstream: U2F/FIDO middleware interfacedjm@openbsd.org
Supports enrolling (generating) keys and signatures. feedback & ok markus@ OpenBSD-Commit-ID: 73d1dd5939454f9c7bd840f48236cba41e8ad592
2019-11-01upstream: Initial infrastructure for U2F/FIDO supportdjm@openbsd.org
Key library support: including allocation, marshalling public/private keys and certificates, signature validation. feedback & ok markus@ OpenBSD-Commit-ID: a17615ba15e0f7932ac4360cb18fc9a9544e68c7
2019-09-06Provide explicit path to configure-check.Darren Tucker
On some platforms (at least OpenBSD) make won't search VPATH for target files, so building out-of-tree will fail at configure-check. Provide explicit path. ok djm@
2019-09-05revert config.h/config.h.in freshness checksDamien Miller
turns out autoreconf and configure don't touch some files if their content doesn't change, so the mtime can't be relied upon in a makefile rule
2019-09-05extend autoconf freshness testDamien Miller
make it cover config.h.in and config.h separately
2019-09-05check that configure/config.h is up to dateDamien Miller
Ensure they are newer than the configure.ac / aclocal.m4 source
2019-09-03portability fixes for sshsigDamien Miller
2019-09-03upstream: sshsig: lightweight signature and verification abilitydjm@openbsd.org
for OpenSSH This adds a simple manual signature scheme to OpenSSH. Signatures can be made and verified using ssh-keygen -Y sign|verify Signatures embed the key used to make them. At verification time, this is matched via principal name against an authorized_keys-like list of allowed signers. Mostly by Sebastian Kinne w/ some tweaks by me ok markus@ OpenBSD-Commit-ID: 2ab568e7114c933346616392579d72be65a4b8fb
2019-07-29Report success of individual tests as well as all.Darren Tucker
This puts the "all tests passed" message back at the end where the test harnesses can find it.
2019-07-24Split test targets further.Darren Tucker
Splits test into file-tests, t-exec, unit and interop-tests and their respective dependencies. Should allow running any set individually without having to build the other dependencies that are not needed for that specific test.
2019-07-24Add lib dependencies for regress binary targets.Darren Tucker
2019-07-24Make "unit" a dependency of "test".Darren Tucker
2019-07-23Split regress-binaries into two targets.Darren Tucker
Split the binaries for the unit tests out into a regress-unit-binaries target, and add a dependency on it for only the unit tests. This allows us to run the integration tests only ("make t-exec") without building the unit tests, which allows us to run a subset of the tests when building --without-openssl without trying (and failing) to build the unit tests. This means there are two targets for "unit" which I *think* is valid (it works in testing, and makedepend will generate Makefiles of this form)a but I could be wrong.
2019-07-19Revert one dependency per line change.Darren Tucker
It turns out that having such a large number of lines in the .depend file will cause the memory usage of awk during AC_SUBST to blow up on at least NetBSD's awk, causing configure to fail.
2019-07-19Force dependencies one per line.Darren Tucker
Force makedepend to output one dependency per line, which will make reading diffs against it much easier. ok djm@
2019-07-16upstream: remove mostly vestigal uuencode.[ch]; moving the only uniquedjm@openbsd.org
functionality there (wrapping of base64-encoded data) to sshbuf functions; feedback and ok markus@ OpenBSD-Commit-ID: 4dba6735d88c57232f6fccec8a08bdcfea44ac4c
2019-07-08remove realpath() compat replacementDamien Miller
We shipped a BSD implementation of realpath() because sftp-server depended on its behaviour. OpenBSD is now moving to a more strictly POSIX-compliant realpath(2), so sftp-server now unconditionally requires its own BSD-style realpath implementation. As such, there is no need to carry another independant implementation in openbsd-compat. ok dtucker@
2019-07-08upstream: add a local implementation of BSD realpath() fordjm@openbsd.org
sftp-server use ahead of OpenBSD's realpath changing to match POSIX; ok deraadt@ (thanks for snaps testing) OpenBSD-Commit-ID: 4f8cbf7ed8679f6237264301d104ecec64885d55
2019-05-08upstream: Remove crc32.{c,h} which were only used by the now-gonedtucker@openbsd.org
SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt. OpenBSD-Commit-ID: cceda5876c5ba6b4d8abcd52335329198cee3240
2019-01-21upstream: rename kex->kem_client_pub -> kex->client_pub now thatdjm@openbsd.org
KEM has been renamed to kexgen from markus@ ok djm@ OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
2019-01-21upstream: use KEM API for vanilla ECDHdjm@openbsd.org
from markus@ ok djm@ OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c
2019-01-21upstream: use KEM API for vanilla DH KEXdjm@openbsd.org
from markus@ ok djm@ OpenBSD-Commit-ID: af56466426b08a8be275412ae2743319e3d277c9
2019-01-21upstream: use KEM API for vanilla c25519 KEXdjm@openbsd.org
OpenBSD-Commit-ID: 38d937b85ff770886379dd66a8f32ab0c1c35c1f
2019-01-21upstream: Add support for a PQC KEX/KEM:djm@openbsd.org
sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default. introduce KEM API; a simplified framework for DH-ish KEX methods. from markus@ feedback & ok djm@ OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
2019-01-21pass TEST_SSH_SSHPKCS11HELPER to regress testsDamien Miller
2019-01-20upstream: remove last traces of old packet API!djm@openbsd.org
with & ok markus@ OpenBSD-Commit-ID: 9bd10437026423eb8245636ad34797a20fbafd7d
2018-12-27upstream: move client/server SSH-* banners to buffers underdjm@openbsd.org
ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server. Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn). Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@ OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b
2018-09-12delete the correct thing; kexfuzz binaryDamien Miller
2018-08-23fix path in distclean targetDamien Miller
Patch from Jakub Jelen
2018-07-31Remove support for S/KeyDamien Miller
Most people will 1) be using modern multi-factor authentication methods like TOTP/OATH etc and 2) be getting support for multi-factor authentication via PAM or BSD Auth.