| Age | Commit message (Collapse) | Author |
|---|
|
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2020-02-21
Patch-Name: gssapi.patch
|
|
functions; feedback and ok markus@
OpenBSD-Commit-ID: dc09e5f1950b7acc91b8fdf8015347782d2ecd3d
|
|
|
|
|
|
This makes diffs more stable between makedepend implementations.
|
|
This lets it pick up the -L path to libcrypto for example.
|
|
Check for -fPIC support from compiler
Compile libopenbsd-compat -fPIC
Don't mix -fPIE and -fPIC when compiling
|
|
include a fatal() implementation to satisfy libopenbsd-compat
clean up .lo and .so files
.gitignore .lo and .so files
|
|
needing the ssh_digest API.
OpenBSD-Regress-ID: 785847ec78cb580d141e29abce351a436d6b5d49
|
|
|
|
|
|
|
|
|
|
|
|
linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for Bluetooth, NFC
and test/debugging.
OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
|
|
OpenBSD-Commit-ID: 37906d93948a1e3d237c20e713d6ca8fbf7d13f6
|
|
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's
SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable,
and ssh-keygen's new -w and -x options.
Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal
substitutions.
ok djm@
OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
|
|
and remove it from the specific binary targets.
|
|
feedback & ok markus@
OpenBSD-Commit-ID: bb544a44bc32e45d2ec8bf652db2046f38360acb
|
|
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
OpenBSD-Commit-ID: 73d1dd5939454f9c7bd840f48236cba41e8ad592
|
|
Key library support: including allocation, marshalling public/private
keys and certificates, signature validation.
feedback & ok markus@
OpenBSD-Commit-ID: a17615ba15e0f7932ac4360cb18fc9a9544e68c7
|
|
On some platforms (at least OpenBSD) make won't search VPATH for target
files, so building out-of-tree will fail at configure-check. Provide
explicit path. ok djm@
|
|
turns out autoreconf and configure don't touch some files if their content
doesn't change, so the mtime can't be relied upon in a makefile rule
|
|
make it cover config.h.in and config.h separately
|
|
Ensure they are newer than the configure.ac / aclocal.m4 source
|
|
|
|
for OpenSSH
This adds a simple manual signature scheme to OpenSSH.
Signatures can be made and verified using ssh-keygen -Y sign|verify
Signatures embed the key used to make them. At verification time, this
is matched via principal name against an authorized_keys-like list
of allowed signers.
Mostly by Sebastian Kinne w/ some tweaks by me
ok markus@
OpenBSD-Commit-ID: 2ab568e7114c933346616392579d72be65a4b8fb
|
|
This puts the "all tests passed" message back at the end where the
test harnesses can find it.
|
|
Splits test into file-tests, t-exec, unit and interop-tests and their
respective dependencies. Should allow running any set individually
without having to build the other dependencies that are not needed
for that specific test.
|
|
|
|
|
|
Split the binaries for the unit tests out into a regress-unit-binaries
target, and add a dependency on it for only the unit tests. This allows
us to run the integration tests only ("make t-exec") without building
the unit tests, which allows us to run a subset of the tests when
building --without-openssl without trying (and failing) to build the
unit tests.
This means there are two targets for "unit" which I *think* is valid
(it works in testing, and makedepend will generate Makefiles of this
form)a but I could be wrong.
|
|
It turns out that having such a large number of lines in the .depend
file will cause the memory usage of awk during AC_SUBST to blow up on at
least NetBSD's awk, causing configure to fail.
|
|
Force makedepend to output one dependency per line, which will make
reading diffs against it much easier. ok djm@
|
|
functionality there (wrapping of base64-encoded data) to sshbuf functions;
feedback and ok markus@
OpenBSD-Commit-ID: 4dba6735d88c57232f6fccec8a08bdcfea44ac4c
|
|
We shipped a BSD implementation of realpath() because sftp-server
depended on its behaviour.
OpenBSD is now moving to a more strictly POSIX-compliant realpath(2),
so sftp-server now unconditionally requires its own BSD-style realpath
implementation. As such, there is no need to carry another independant
implementation in openbsd-compat.
ok dtucker@
|
|
sftp-server use ahead of OpenBSD's realpath changing to match POSIX;
ok deraadt@ (thanks for snaps testing)
OpenBSD-Commit-ID: 4f8cbf7ed8679f6237264301d104ecec64885d55
|
|
SSH1 protocol. Patch from yumkam at gmail.com, ok deraadt.
OpenBSD-Commit-ID: cceda5876c5ba6b4d8abcd52335329198cee3240
|
|
KEM has been renamed to kexgen
from markus@ ok djm@
OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
|
|
from markus@ ok djm@
OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c
|
|
from markus@ ok djm@
OpenBSD-Commit-ID: af56466426b08a8be275412ae2743319e3d277c9
|
|
OpenBSD-Commit-ID: 38d937b85ff770886379dd66a8f32ab0c1c35c1f
|
|
sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime
4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not
enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
|
|
|
|
with & ok markus@
OpenBSD-Commit-ID: 9bd10437026423eb8245636ad34797a20fbafd7d
|
|
ssh->kex and factor out the banner exchange. This eliminates some common code
from the client and server.
Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@
OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b
|
|
|
|
Patch from Jakub Jelen
|
|
Most people will 1) be using modern multi-factor authentication methods
like TOTP/OATH etc and 2) be getting support for multi-factor
authentication via PAM or BSD Auth.
|
|
Adds a regress/mkdtemp tool and uses it to create empty temp
directories for tests needing control sockets.
Patch from Colin Watson via bz#2660; ok dtucker
|
