summaryrefslogtreecommitdiff
path: root/auth2.c
AgeCommit message (Collapse)Author
2008-11-05 - djm@cvs.openbsd.org 2008/11/04 08:22:13Damien Miller
[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h] [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5] [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c] [Makefile.in] Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008. This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint. This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc). "just commit it. It isn't too intrusive." deraadt@
2008-07-05 - djm@cvs.openbsd.org 2008/07/04 23:30:16Damien Miller
[auth1.c auth2.c] Make protocol 1 MaxAuthTries logic match protocol 2's. Do not treat the first protocol 2 authentication attempt as a failure IFF it is for method "none". Makes MaxAuthTries' user-visible behaviour identical for protocol 1 vs 2. ok dtucker@
2008-07-04 - djm@cvs.openbsd.org 2008/07/02 13:30:34Darren Tucker
[auth2.c] really really remove the freebie "none" auth try for protocol 2
2008-07-02 - djm@cvs.openbsd.org 2008/07/02 12:36:39Darren Tucker
[auth2-none.c auth2.c] Make protocol 2 MaxAuthTries behaviour a little more sensible: Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth). Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try. Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block). Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too.
2007-10-26 - dtucker@cvs.openbsd.org 2007/09/29 00:25:51Damien Miller
[auth2.c] Remove unused prototype. ok djm@
2007-05-20 - stevesk@cvs.openbsd.org 2007/04/14 22:01:58Darren Tucker
[auth2.c] remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
2007-03-01 - dtucker@cvs.openbsd.org 2007/03/01 10:28:02Darren Tucker
[auth2.c sshd_config.5 servconf.c] Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
2006-08-05 - deraadt@cvs.openbsd.org 2006/08/03 03:34:42Damien Miller
[OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] [serverloop.c session.c session.h sftp-client.c sftp-common.c] [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step NB. portable commit contains everything *except* removing includes.h, as that will take a fair bit more work as we move headers that are required for portability workarounds to defines.h. (also, this step wasn't "easy")
2006-07-24 - stevesk@cvs.openbsd.org 2006/07/22 20:48:23Damien Miller
[atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c] [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c] [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c] [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c] [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c] [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c] [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c] [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c] [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c] [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c] [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c] [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c] [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c] move #include <string.h> out of includes.h
2006-07-10 - stevesk@cvs.openbsd.org 2006/07/06 16:03:53Damien Miller
[auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c] [auth-rhosts.c auth-rsa.c auth.c auth.h auth2-hostbased.c] [auth2-pubkey.c auth2.c includes.h misc.c misc.h monitor.c] [monitor_wrap.c monitor_wrap.h scp.c serverloop.c session.c] [session.h sftp-common.c ssh-add.c ssh-keygen.c ssh-keysign.c] [ssh.c sshconnect.c sshconnect.h sshd.c sshpty.c sshpty.h uidswap.c] [uidswap.h] move #include <pwd.h> out of includes.h; ok markus@
2006-03-26 - djm@cvs.openbsd.org 2006/03/25 13:17:03Damien Miller
[atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c] [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c] [auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] [auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c] [buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c] [cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c] [deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c] [kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c] [mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c] [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c] [readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c] [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c] [sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c] [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c] [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c] [uidswap.c uuencode.c xmalloc.c] Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
2006-03-26 - deraadt@cvs.openbsd.org 2006/03/20 18:17:20Damien Miller
[auth1.c auth2.c sshd.c] sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)
2006-03-26 - deraadt@cvs.openbsd.org 2006/03/19 18:51:18Damien Miller
[atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c] [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c] [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c] [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c] [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c] [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c] [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c] [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c] [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c] [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c] [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c] [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c] [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c] [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c] [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c] [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c] [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c] [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c] [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c] [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c] [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c] RCSID() can die
2005-09-24 - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to removeDarren Tucker
duplicate call. ok djm@
2005-07-17 -(djm) [audit.c auth1.c auth2.c entropy.c loginrec.c serverloop.c]Damien Miller
[ssh-rand-helper.c] fix portable 2nd level indents at 4 spaces too
2005-02-08 - (dtucker) [audit.c audit.h auth.c auth1.c auth2.c loginrec.c monitor.cDarren Tucker
monitor_wrap.c monitor_wrap.h session.c sshd.c]: Prepend all of the audit defines and enums with SSH_ to prevent namespace collisions on some platforms (eg AIX).
2005-02-03 - (dtucker) [Makefile.in auth.c auth.h auth1.c auth2.c loginrec.c monitor.cDarren Tucker
monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug #125: (first stage) Add audit instrumentation to sshd, currently disabled by default. with suggestions from and djm@
2004-12-03 - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but isDarren Tucker
subsequently denied by the PAM auth stack, send the PAM message to the user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2). ok djm@
2004-09-11 - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c]Darren Tucker
Bug #892: Send messages from failing PAM account modules to the client via SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with SSH2 kbdint authentication, which need to be dealt with separately. ok djm@
2004-08-12 - markus@cvs.openbsd.org 2004/07/28 09:40:29Darren Tucker
[auth.c auth1.c auth2.c cipher.c cipher.h key.c session.c ssh.c sshconnect1.c] more s/illegal/invalid/
2004-07-21 - djm@cvs.openbsd.org 2004/07/21 10:33:31Damien Miller
[auth1.c auth2.c] bz#899: Don't display invalid usernames in setproctitle
2004-05-24 - dtucker@cvs.openbsd.org 2004/05/23 23:59:53Darren Tucker
[auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5] Add MaxAuthTries sshd config option; ok markus@
2004-03-08 - (dtucker) [auth-pam.c auth-pam.h auth1.c auth2.c monitor.c monitor_wrap.cDarren Tucker
monitor_wrap.h] Bug #808: Ensure force_pwchange is correctly initialized even if keyboard-interactive is not used by the client. Prevents segfaults in some cases where the user's password is expired (note this is not considered a security exposure). ok djm@
2003-11-17 - djm@cvs.openbsd.org 2003/11/04 08:54:09Damien Miller
[auth1.c auth2.c auth2-pubkey.c auth.h auth-krb5.c auth-passwd.c] [auth-rhosts.c auth-rh-rsa.c auth-rsa.c monitor.c serverloop.c] [session.c] standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
2003-10-02 - markus@cvs.openbsd.org 2003/09/23 20:17:11Darren Tucker
[Makefile.in auth1.c auth2.c auth.c auth.h auth-krb5.c canohost.c cleanup.c clientloop.c fatal.c gss-serv.c log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h packet.c serverloop.c session.c session.h ssh-agent.c sshd.c] replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@
2003-09-03 - markus@cvs.openbsd.org 2003/08/26 09:58:43Damien Miller
[auth-passwd.c auth.c auth.h auth1.c auth2-none.c auth2-passwd.c] [auth2.c monitor.c] fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar
2003-08-26 - markus@cvs.openbsd.org 2003/08/22 13:22:27Darren Tucker
[auth2.c] (auth2-krb5.c removed) nuke "kerberos-2@ssh.com"
2003-08-26 - markus@cvs.openbsd.org 2003/08/22 10:56:09Darren Tucker
[auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c session.h ssh-gss.h ssh_config.5 sshconnect2.c sshd_config sshd_config.5] support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
2003-08-25 - (djm) Bug #564: Perform PAM account checks for all authentications whenDamien Miller
UsePAM=yes; ok dtucker
2003-06-28 - markus@cvs.openbsd.org 2003/06/24 08:23:46Darren Tucker
[auth2-hostbased.c auth2-pubkey.c auth2.c channels.c key.c key.h monitor.c packet.c packet.h serverloop.c sshconnect2.c sshd.c] int -> u_int; ok djm@, deraadt@, mouring@
2003-05-14 - (djm) Add new UsePAM configuration directive to allow runtime controlDamien Miller
over usage of PAM. This allows non-root use of sshd when built with --with-pam
2003-05-14 - markus@cvs.openbsd.org 2003/05/14 02:15:47Damien Miller
[auth2.c monitor.c sshconnect2.c auth2-krb5.c] implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@
2003-05-14 - (djm) RCSID sync w/ OpenBSDDamien Miller
2003-05-14 - (djm) Bug #117: Don't lie to PAM about usernameDamien Miller
2003-05-02 - (dtucker) Move handling of bad password authentications into a platformDarren Tucker
specific record_failed_login() function (affects AIX & Unicos).
2003-04-27 - (bal) auth2.c same changed as above.Ben Lindstrom
2003-04-09*** empty log message ***Damien Miller
2003-02-24 - markus@cvs.openbsd.org 2003/02/06 21:22:43Damien Miller
[auth1.c auth2.c] undo broken fix for #387, fixes #486
2002-09-25Cray fixes (bug 367) based on patch from Wendy Palm @ cray.Tim Rice
This does not include the deattack.c fixes.
2002-09-04 - markus@cvs.openbsd.org 2002/08/22 21:33:58Damien Miller
[auth1.c auth2.c] auth_root_allowed() is handled by the monitor in the privsep case, so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
2002-07-04 - (bal) Failed password attempts don't increment counter on AIX. Bug #145Ben Lindstrom
2002-07-04 - deraadt@cvs.openbsd.org 2002/06/30 21:54:16Ben Lindstrom
[auth2.c session.c sshd.c] lint asks that we use names that do not overlap
2002-06-21some xxx's for future privsep cleanupDamien Miller
2002-06-07 - (bal) Refixed auth2.c. It was never fully commited while spliting outBen Lindstrom
authentication to different files.
2002-06-06 - markus@cvs.openbsd.org 2002/05/31 11:35:15Ben Lindstrom
[auth.h auth2.c] move Authmethod definitons to per-method file. NOTE: The rest of this patch is with the import of the auth2-*.c files.
2002-06-06 - markus@cvs.openbsd.org 2002/05/25 18:51:07Ben Lindstrom
[auth.h auth2.c auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c Makefile.in] split auth2.c into one file per method; ok provos@/deraadt@ NOTE: Merged back noticable cygwin and pam stuff. May need review to ensure I did not miss anything.
2002-05-15 - itojun@cvs.openbsd.org 2002/05/13 02:37:39Ben Lindstrom
[auth-skey.c auth2.c] less warnings. skey_{respond,query} are public (in auth.h)
2002-05-13 - (djm) Bug #231: UsePrivilegeSeparation turns off Banner.Damien Miller
2002-05-09 - (djm) Disable PAM kbd-int auth if privsep is turned on (it doesn't work)Damien Miller
2002-04-23 - (djm) Make privsep work with PAM (still experimental)Damien Miller