summaryrefslogtreecommitdiff
path: root/match.h
AgeCommit message (Collapse)Author
2018-07-04upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSAdjm@openbsd.org
signature work - returns ability to add/remove/specify algorithms by wildcard. Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected. Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation. (lots of) feedback, ok markus@ OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
2017-02-04upstream commitdjm@openbsd.org
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@ Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
2015-05-10upstream commitdjm@openbsd.org
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern). Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools. ok markus@
2010-02-27 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/02/26 20:29:54 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] [sshconnect2.c sshd.8 sshd.c sshd_config.5] Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as sh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
2008-06-10 - (dtucker) OpenBSD CVS SyncDarren Tucker
- djm@cvs.openbsd.org 2008/06/10 03:57:27 [servconf.c match.h sshd_config.5] support CIDR address matching in sshd_config "Match address" blocks, with full support for negation and fall-back to classic wildcard matching. For example: Match address 192.0.2.0/24,3ffe:ffff::/32,!10.* PasswordAuthentication yes addrmatch.c code mostly lifted from flowd's addr.c feedback and ok dtucker@
2006-03-26 - djm@cvs.openbsd.org 2006/03/25 22:22:43Damien Miller
[atomicio.h auth-options.h auth.h auth2-gss.c authfd.h authfile.h] [bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h] [compat.h compress.h crc32.c crc32.h deattack.h dh.h dispatch.h] [dns.c dns.h getput.h groupaccess.h gss-genr.c gss-serv-krb5.c] [gss-serv.c hostfile.h includes.h kex.h key.h log.h mac.h match.h] [misc.h monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h msg.h] [myproposal.h packet.h pathnames.h progressmeter.h readconf.h rsa.h] [scard.h servconf.h serverloop.h session.h sftp-common.h sftp.h] [ssh-gss.h ssh.h ssh1.h ssh2.h sshconnect.h sshlogin.h sshpty.h] [ttymodes.h uidswap.h uuencode.h xmalloc.h] standardise spacing in $OpenBSD$ tags; requested by deraadt@
2002-03-05 - markus@cvs.openbsd.org 2002/03/01 13:12:10Ben Lindstrom
[auth.c match.c match.h] undo the 'delay hostname lookup' change match.c must not use compress.c (via canonhost.c/packet.c) thanks to wilfried@
2002-03-05 - stevesk@cvs.openbsd.org 2002/02/28 19:36:28Ben Lindstrom
[auth.c match.c match.h] delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers for sshd -u0; ok markus@
2001-12-06 - markus@cvs.openbsd.org 2001/12/05 16:54:51Ben Lindstrom
[compat.c match.c match.h] make theo and djm happy: bye bye regexp
2001-07-04 - itojun@cvs.openbsd.org 2001/06/26 06:32:58Ben Lindstrom
[atomicio.h authfd.h authfile.h auth.h auth-options.h bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h compat.h compress.h crc32.h deattack.h dh.h dispatch.h groupaccess.h hostfile.h kex.h key.h log.h mac.h match.h misc.h mpaux.h packet.h radix.h readconf.h readpass.h rsa.h] prototype pedant. not very creative... - () -> (void) - no variable names
2001-06-25 - markus@cvs.openbsd.org 2001/06/24 05:25:10Ben Lindstrom
[auth-options.c match.c match.h] move ip+hostname check to match.c
2001-03-11 - markus@cvs.openbsd.org 2001/03/10 17:51:04Ben Lindstrom
[kex.c match.c match.h readconf.c readconf.h sshconnect2.c] add PreferredAuthentications
2001-01-29 - niklas@cvs.openbsd.org 2001/01/2001Ben Lindstrom
[atomicio.h canohost.h clientloop.h deattack.h dh.h dispatch.h groupaccess.c groupaccess.h hmac.h hostfile.h includes.h kex.h key.h log.h login.h match.h misc.h myproposal.h nchan.ms pathnames.h radix.h readpass.h rijndael.h serverloop.h session.h sftp.h ssh-add.1 ssh-dss.h ssh-keygen.1 ssh-keyscan.1 ssh-rsa.h ssh1.h ssh_config sshconnect.h sshd_config tildexpand.h uidswap.h uuencode.h] $OpenBSD$
2000-12-22One way to massive patch. <sigh> It compiles and works under Linux..Ben Lindstrom
And I think I have all the bits right from the OpenBSD tree. 20001222 - Updated RCSID for pty.c - (bal) OpenBSD CVS Updates: - markus@cvs.openbsd.org 2000/12/21 15:10:16 [auth-rh-rsa.c hostfile.c hostfile.h sshconnect.c] print keyfile:line for changed hostkeys, for deraadt@, ok deraadt@ - markus@cvs.openbsd.org 2000/12/20 19:26:56 [authfile.c] allow ssh -i userkey for root - markus@cvs.openbsd.org 2000/12/20 19:37:21 [authfd.c authfd.h kex.c sshconnect2.c sshd.c uidswap.c uidswap.h] fix prototypes; from stevesk@pobox.com - markus@cvs.openbsd.org 2000/12/20 19:32:08 [sshd.c] init pointer to NULL; report from Jan.Ivan@cern.ch - markus@cvs.openbsd.org 2000/12/19 23:17:54 [auth-krb4.c auth-options.c auth-options.h auth-rhosts.c auth-rsa.c auth1.c auth2-skey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufaux.h buffer.c canohost.c channels.c clientloop.c compress.c crc32.c deattack.c getput.h hmac.c hmac.h hostfile.c kex.c kex.h key.c key.h log.c login.c match.c match.h mpaux.c mpaux.h packet.c packet.h radix.c readconf.c rsa.c scp.c servconf.c servconf.h serverloop.c session.c sftp-server.c ssh-agent.c ssh-dss.c ssh-dss.h ssh-keygen.c ssh-keyscan.c ssh-rsa.c ssh-rsa.h ssh.c ssh.h uuencode.c uuencode.h sshconnect1.c sshconnect2.c sshd.c tildexpand.c] replace 'unsigned bla' with 'u_bla' everywhere. also replace 'char unsigned' with u_char.
2000-09-16 - (djm) Merge OpenBSD changes:Damien Miller
- markus@cvs.openbsd.org 2000/09/05 02:59:57 [session.c] print hostname (not hushlogin) - markus@cvs.openbsd.org 2000/09/05 13:18:48 [authfile.c ssh-add.c] enable ssh-add -d for DSA keys - markus@cvs.openbsd.org 2000/09/05 13:20:49 [sftp-server.c] cleanup - markus@cvs.openbsd.org 2000/09/06 03:46:41 [authfile.h] prototype - deraadt@cvs.openbsd.org 2000/09/07 14:27:56 [ALL] cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate. - markus@cvs.openbsd.org 2000/09/07 14:40:30 [channels.c channels.h clientloop.c serverloop.c ssh.c] cleanup window and packet sizes for ssh2 flow control; ok niels - markus@cvs.openbsd.org 2000/09/07 14:53:00 [scp.c] typo - markus@cvs.openbsd.org 2000/09/07 15:13:37 [auth-options.c auth-options.h auth-rh-rsa.c auth-rsa.c auth.c] [authfile.h canohost.c channels.h compat.c hostfile.h log.c match.h] [pty.c readconf.c] some more Copyright fixes - markus@cvs.openbsd.org 2000/09/08 03:02:51 [README.openssh2] bye bye - deraadt@cvs.openbsd.org 2000/09/11 18:38:33 [LICENCE cipher.c] a few more comments about it being ARC4 not RC4 - markus@cvs.openbsd.org 2000/09/12 14:53:11 [log-client.c log-server.c log.c ssh.1 ssh.c ssh.h sshd.8 sshd.c] multiple debug levels - markus@cvs.openbsd.org 2000/09/14 14:25:15 [clientloop.c] typo - deraadt@cvs.openbsd.org 2000/09/15 01:13:51 [ssh-agent.c] check return value for setenv(3) for failure, and deal appropriately
2000-06-07 - (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts IIIDamien Miller
<tibbs@math.uh.edu> - (djm) OpenBSD CVS updates: - todd@cvs.openbsd.org [sshconnect2.c] teach protocol v2 to count login failures properly and also enable an explanation of why the password prompt comes up again like v1; this is NOT crypto - markus@cvs.openbsd.org [readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8] xauth_location support; pr 1234 [readconf.c sshconnect2.c] typo, unused [session.c] allow use_login only for login sessions, otherwise remote commands are execed with uid==0 [sshd.8] document UseLogin better [version.h] OpenSSH 2.1.1 [auth-rsa.c] fix match_hostname() logic for auth-rsa: deny access if we have a negative match or no match at all [channels.c hostfile.c match.c] don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via kris@FreeBSD.org
2000-03-26 - OpenBSD CVS updateDamien Miller
- [auth-krb4.c] -Wall - [auth-rh-rsa.c auth-rsa.c hostfile.c hostfile.h key.c key.h match.c] [match.h ssh.c ssh.h sshconnect.c sshd.c] initial support for DSA keys. ok deraadt@, niels@ - [cipher.c cipher.h] remove unused cipher_attack_detected code - [scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8] Fix some formatting problems I missed before. - [ssh.1 sshd.8] fix spelling errors, From: FreeBSD - [ssh.c] switch to raw mode only if he _get_ a pty (not if we _want_ a pty).