summaryrefslogtreecommitdiff
path: root/openbsd-compat/xcrypt.c
AgeCommit message (Collapse)Author
2016-07-22Search users for one with a valid salt.Darren Tucker
If the root account is locked (eg password "!!" or "*LK*") keep looking until we find a user with a valid salt to use for crypting passwords of invalid users. ok djm@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=dbf788b4d9d9490a5fff08a7b09888272bb10fcc Bug-Debian: https://bugs.debian.org/831902 Last-Update: 2016-07-22 Patch-Name: CVE-2016-6210-3.patch
2016-07-22Determine appropriate salt for invalid users.Darren Tucker
When sshd is processing a non-PAM login for a non-existent user it uses the string from the fakepw structure as the salt for crypt(3)ing the password supplied by the client. That string has a Blowfish prefix, so on systems that don't understand that crypt will fail fast due to an invalid salt, and even on those that do it may have significantly different timing from the hash methods used for real accounts (eg sha512). This allows user enumeration by, eg, sending large password strings. This was noted by EddieEzra.Harari at verint.com (CVE-2016-6210). To mitigate, use the same hash algorithm that root uses for hashing passwords for users that do not exist on the system. ok djm@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=9286875a73b2de7736b5e50692739d314cd8d9dc Bug-Debian: https://bugs.debian.org/831902 Last-Update: 2016-07-22 Patch-Name: CVE-2016-6210-1.patch
2015-01-15support --without-openssl at configure timeDamien Miller
Disables and removes dependency on OpenSSL. Many features don't work and the set of crypto options is greatly restricted. This will only work on system with native arc4random or /dev/urandom. Considered highly experimental for now.
2013-06-02 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back toDarren Tucker
using openssl's DES_crpyt function on platorms that don't have a native one, eg Android. Based on a patch from Nathan Osman.
2009-01-07 - (tim) [configure.ac defines.h openbsd-compat/port-uw.cTim Rice
openbsd-compat/xcrypt.c] Add SECUREWARE support to OpenServer 6 SVR5 ABI. OK djm@ dtucker@
2007-03-2620070326Tim Rice
- (tim) [auth.c configure.ac defines.h session.c openbsd-compat/port-uw.c openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] Rework libiaf test/defines to account for IRIX having libiaf but not set_id(). Patch with & ok dtucker@
2006-08-30 - (djm) [openbsd-compat/xcrypt.c] needs unistd.hDamien Miller
2006-07-10 - (djm) [loginrec.c ssh-rand-helper.c sshd.c openbsd-compat/glob.c]Damien Miller
[openbsd-compat/mktemp.c openbsd-compat/openbsd-compat.h] [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c] [openbsd-compat/xcrypt.c] Fix includes.h fallout, mainly fcntl.h
2005-08-31 - (tim) [configure.ac auth.c defines.h session.c openbsd-compat/port-uw.cTim Rice
openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] libiaf cleanup. Disable libiaf bits for OpenServer6. Free memory allocated by ia_get_logpwd(). Feedback and OK dtucker@
2005-08-26 - (tim) [CREDITS LICENCE auth.c configure.ac defines.h includes.h session.cTim Rice
openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h openbsd-compat/xcrypt.c] New files [openssh/openbsd-compat/port-uw.c openssh/openbsd-compat/port-uw.h] Support long passwords (> 8-char) on UnixWare 7 from Dhiraj Gulati and Ahsan Rashid. Cleanup and testing by tim@. Feedback and OK dtucker@
2004-03-04 - (dtucker) [auth-passwd.c auth-sia.c auth-sia.h defines.hDarren Tucker
openbsd-compat/xcrypt.c] Bug #802: Fix build error on Tru64 when configured --with-osfsia. ok djm@
2003-09-25 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] Bug #633: RemoveDarren Tucker
DISABLE_SHADOW for HP-UX, use getspnam instead of getprpwnam. Patch from michael_steffens at hp.com, ok djm@
2003-09-07 - (dtucker) openbsd-compat/xcrypt.c] #elsif -> #elifDarren Tucker
2003-08-11 - (dtucker) [openbsd-compat/xcrypt.c] Remove Cygwin #ifdef block (duplicateDarren Tucker
in bsd-cygwin_util.h).
2003-07-26 - (dtucker) [openbsd-compat/xcrypt.c] Fix typo: DISABLED_SHADOW ->Darren Tucker
DISABLE_SHADOW. Fixes HP-UX compile error.
2003-07-24 - (bal) [auth-passwd.c openbsd-compat/Makefile.in openbsd-compat/xcrypt.cBen Lindstrom
openbsd-compat/xcrypt.h] Split off encryption into xcrypt() interface, and isolate shadow password functions. Tested in Solaris, but should not break other platforms too badly (except maybe HP =). Also brings auth-passwd.c into full sync with OpenBSD tree.