summaryrefslogtreecommitdiff
path: root/auth2-pubkey.c
AgeCommit message (Collapse)Author
2020-01-23upstream: Replace all calls to signal(2) with a wrapper arounddtucker@openbsd.org
sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations. OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
2019-11-25upstream: add a "no-touch-required" option for authorized_keys anddjm@openbsd.org
a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
2019-11-25upstream: Add a sshd_config PubkeyAuthOptions directivedjm@openbsd.org
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key). ok markus@ OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de
2019-11-25upstream: Add new structure for signature optionsdjm@openbsd.org
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field. with and ok markus@ OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49
2019-09-06upstream: lots of things were relying on libcrypto headers todjm@openbsd.org
transitively include various system headers (mostly stdlib.h); include them explicitly OpenBSD-Commit-ID: 5b522f4f2d844f78bf1cc4f3f4cc392e177b2080
2019-09-03upstream: move advance_past_options to authfile.c and make itdjm@openbsd.org
public; ok markus@ OpenBSD-Commit-ID: edda2fbba2c5b1f48e60f857a2010479e80c5f3c
2019-09-03upstream: move skip_space() to misc.c and make it public; okdjm@openbsd.org
markus@ OpenBSD-Commit-ID: caa77e8a3b210948e29ad3e28c5db00852961eae
2019-07-16upstream: remove mostly vestigal uuencode.[ch]; moving the only uniquedjm@openbsd.org
functionality there (wrapping of base64-encoded data) to sshbuf functions; feedback and ok markus@ OpenBSD-Commit-ID: 4dba6735d88c57232f6fccec8a08bdcfea44ac4c
2019-06-21upstream: print the correct AuthorizedPrincipalsCommand rather thandjm@openbsd.org
an uninitialised variable; spotted by dtucker@ OpenBSD-Commit-ID: 02802018784250f68202f01c8561de82e17b0638
2019-06-14upstream: for public key authentication, check AuthorizedKeysFilesdjm@openbsd.org
files before consulting AuthorizedKeysCommand; ok dtucker markus OpenBSD-Commit-ID: 13652998bea5cb93668999c39c3c48e8429db8b3
2019-05-20upstream: embiggen format buffer size for certificate serial number sodjm@openbsd.org
that it will fit a full 64 bit integer. bz#3012 from Manoel Domingues Junior OpenBSD-Commit-ID: a51f3013056d05b976e5af6b978dcb9e27bbc12b
2019-01-22upstream: print the full pubkey being attempted at loglevel >=djm@openbsd.org
debug2; bz2939 OpenBSD-Commit-ID: ac0fe5ca1429ebf4d460bad602adc96de0d7e290
2018-09-20upstream: Add sshd_config CASignatureAlgorithms option to allowdjm@openbsd.org
control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@ OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
2018-09-09upstream: fix misplaced parenthesis inside if-clause. it's harmlessmestre@openbsd.org
and the only issue is showing an unknown error (since it's not defined) during fatal(), if it ever an error occurs inside that condition. OK deraadt@ markus@ djm@ OpenBSD-Commit-ID: acb0a8e6936bfbe590504752d01d1d251a7101d8
2018-08-23upstream: memleak introduced in r1.83; from Colin Watsondjm@openbsd.org
OpenBSD-Commit-ID: 5c019104c280cbd549a264a7217b67665e5732dc
2018-07-31upstream: delay bailout for invalid authenticdjm@openbsd.org
=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?= =?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?= =?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
2018-07-12upstream: treat ssh_packet_write_wait() errors as fatal; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: f88ba43c9d54ed2d911218aa8d3f6285430629c3
2018-07-10upstream: sshd: switch authentication to sshbuf API; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: 880aa06bce4b140781e836bb56bec34873290641
2018-07-03upstream: Improve strictness and control over RSA-SHA2 signaturedjm@openbsd.org
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@ OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
2018-06-07upstream: switch config file parsing to getline(3) as this avoidsmarkus@openbsd.org
static limits noted by gerhard@; ok dtucker@, djm@ OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c
2018-06-01upstream: make UID available as a %-expansion everywhere that thedjm@openbsd.org
username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@ OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
2018-03-03upstream: switch over to the new authorized_keys options API anddjm@openbsd.org
remove the legacy one. Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines. feedback and ok markus@ OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
2018-02-09upstream commitdtucker@openbsd.org
ssh_free checks for and handles NULL args, remove NULL checks from remaining callers. ok djm@ OpenBSD-Commit-ID: bb926825c53724c069df68a93a2597f9192f7e7b
2018-01-23upstream commitdjm@openbsd.org
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations. ok markus@ OpenBSD-Commit-ID: 4be81c67db57647f907f4e881fb9341448606138
2017-12-21upstream commitdjm@openbsd.org
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan. OpenBSD-Commit-ID: 4a44ddc991c803c4ecc8f1ad40e0ab4d22e1c519
2017-12-19upstream commitdjm@openbsd.org
include signature type and CA key (if applicable) in some debug messages OpenBSD-Commit-ID: b71615cc20e78cec7105bb6e940c03ce9ae414a5
2017-12-19upstream commitdjm@openbsd.org
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@ OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9
2017-09-12upstream commitdjm@openbsd.org
typo in comment Upstream-ID: a93b1e6f30f1f9b854b5b964b9fd092d0c422c47
2017-08-23upstream commitdjm@openbsd.org
add a "quiet" flag to exited_cleanly() that supresses errors about exit status (failure due to signal is still reported) Upstream-ID: db85c39c3aa08e6ff67fc1fb4ffa89f807a9d2f0
2017-08-23upstream commitdjm@openbsd.org
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition. feedback & ok dtucker@ Upstream-ID: 3573dd7109d13ef9bd3bed93a3deb170fbfce049
2017-06-24upstream commitdjm@openbsd.org
refactor authentication logging optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@ Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
2017-06-01upstream commitmarkus@openbsd.org
make sure we don't pass a NULL string to vfprintf (triggered by the principals-command regress test); ok bluhm Upstream-ID: eb49854f274ab37a0b57056a6af379a0b7111990
2017-06-01upstream commitderaadt@openbsd.org
Switch to recallocarray() for a few operations. Both growth and shrinkage are handled safely, and there also is no need for preallocation dances. Future changes in this area will be less error prone. Review and one bug found by markus Upstream-ID: 822d664d6a5a1d10eccb23acdd53578a679d5065
2017-05-31upstream commitmarkus@openbsd.org
switch auth2 to ssh_dispatch API; ok djm@ Upstream-ID: a752ca19e2782900dd83060b5c6344008106215f
2017-05-31upstream commitmarkus@openbsd.org
switch auth2-pubkey.c to modern APIs; with & ok djm@ Upstream-ID: 8f08d4316eb1b0c4ffe4a206c05cdd45ed1daf07
2017-05-31upstream commitmarkus@openbsd.org
switch from Key typedef with struct sshkey; ok djm@ Upstream-ID: 3067d33e04efbe5131ce8f70668c47a58e5b7a1f
2017-01-30upstream commitdjm@openbsd.org
revise keys/principals command hang fix (bz#2655) to consume entire output, avoiding sending SIGPIPE to subprocesses early; ok dtucker@ Upstream-ID: 7cb04b31a61f8c78c4e48ceededcd2fd5c4ee1bc
2017-01-03upstream commitdjm@openbsd.org
fix deadlock when keys/principals command produces a lot of output and a key is matched early; bz#2655, patch from jboning AT gmail.com Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
2016-11-30upstream commitdjm@openbsd.org
When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced- command override the other could be a bit confused and more error-prone. Pointed out by Jann Horn of Project Zero; ok dtucker@ Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
2016-09-22upstream commitdjm@openbsd.org
cast uint64_t for printf Upstream-ID: 76d23e89419ccbd2320f92792a6d878211666ac1
2016-09-21upstream commitdjm@openbsd.org
add a way for principals command to get see key ID and serial too Upstream-ID: 0d30978bdcf7e8eaeee4eea1b030eb2eb1823fcb
2016-09-15upstream commitdjm@openbsd.org
take fingerprint of correct key for AuthorizedPrincipalsCommand Upstream-ID: 553581a549cd6a3e73ce9f57559a325cc2cb1f38
2016-09-14upstream commitdjm@openbsd.org
add %-escapes to AuthorizedPrincipalsCommand to match those supported for AuthorizedKeysCommand (key, key type, fingerprint, etc) and a few more to provide access to the certificate's CA key; 'looks ok' dtucker@ Upstream-ID: 6b00fd446dbebe67f4e4e146d2e492d650ae04eb
2016-01-27upstream commitdjm@openbsd.org
make the debug messages a bit more useful here Upstream-ID: 478ccd4e897e0af8486b294aa63aa3f90ab78d64
2015-10-29upstream commitdjm@openbsd.org
log certificate serial in verbose() messages to match the main auth success/fail message; ok dtucker@ Upstream-ID: dfc48b417c320b97c36ff351d303c142f2186288
2015-06-17upstream commitjsing@openbsd.org
If AuthorizedPrincipalsCommand is specified, however AuthorizedPrincipalsFile is not (or is set to "none"), authentication will potentially fail due to key_cert_check_authority() failing to locate a principal that matches the username, even though an authorized principal has already been matched in the output of the subprocess. Fix this by using the same logic to determine if pw->pw_name should be passed, as is used to determine if a authorized principal must be matched earlier on. ok djm@ Upstream-ID: 43b42302ec846b0ea68aceb40677245391b9409d
2015-06-17upstream commitjsing@openbsd.org
Make the arguments to match_principals_command() similar to match_principals_file(), by changing the last argument a struct sshkey_cert * and dereferencing key->cert in the caller. No functional change. ok djm@ Upstream-ID: 533f99b844b21b47342b32b62e198dfffcf8651c
2015-05-21upstream commitdjm@openbsd.org
add AuthorizedPrincipalsCommand that allows getting authorized_principals from a subprocess rather than a file, which is quite useful in deployments with large userbases feedback and ok markus@ Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
2015-05-21upstream commitdjm@openbsd.org
support arguments to AuthorizedKeysCommand bz#2081 loosely based on patch by Sami Hartikainen feedback and ok markus@ Upstream-ID: b080387a14aa67dddd8ece67c00f268d626541f7
2015-05-10upstream commitdjm@openbsd.org
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@