| Age | Commit message (Collapse) | Author |
|---|
|
[ssh-keygen.c ssh-keygen.1]
ssh-keygen would write fingerprints to STDOUT, and random art to STDERR,
that is not how it was envisioned.
Also correct manpage saying that -v is needed along with -l for it to work.
spotted by naddy@
|
|
[ssh-keygen.c]
ssh-keygen -lv -f /etc/ssh/ssh_host_rsa_key.pub
would not display you the random art as intended, spotted by canacar@
|
|
[ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c
sshconnect.c]
Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the
graphical hash visualization schemes known as "random art", and by
Dan Kaminsky's musings on the subject during a BlackOp talk at the
23C3 in Berlin.
Scientific publication (original paper):
"Hash Visualization: a New Technique to improve Real-World Security",
Perrig A. and Song D., 1999, International Workshop on Cryptographic
Techniques and E-Commerce (CrypTEC '99)
http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
The algorithm used here is a worm crawling over a discrete plane,
leaving a trace (augmenting the field) everywhere it goes.
Movement is taken from dgst_raw 2bit-wise. Bumping into walls
makes the respective movement vector be ignored for this turn,
thus switching to the other color of the chessboard.
Graphs are not unambiguous for now, because circles in graphs can be
walked in either direction.
discussions with several people,
help, corrections and ok markus@ djm@
|
|
[ssh-keygen.c]
support -l (print fingerprint) in combination with -F (find host) to
search for a host in ~/.ssh/known_hosts and display its fingerprint;
ok markus@
|
|
openbsd-compat/openssl-compat.{c,h}] Bug #1437 Move the OpenSSL compat
header to after OpenSSL headers, since some versions of OpenSSL have
SSLeay_add_all_algorithms as a macro already.
|
|
[ssh-keygen.c]
unbreak line numbering (broken in revision 1.164), fix error message
|
|
[ssh-keygen.c]
when hashing individual hosts (ssh-keygen -Hf hostname), make sure we
hash just the specified hostname and not the entire hostspec from the
keyfile. It may be of the form "hostname,ipaddr", which would lead to
a hash that never matches. report and fix from jp AT devnull.cz
|
|
[ssh-keygen.c]
handles zero-sized strings that fgets can return
|
|
[session.c ssh-keygen.c sshlogin.c]
use strcspn to properly overwrite '\n' in fgets returned buffer
ok pyr@, ray@, millert@, moritz@, chl@
|
|
[ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.c]
sort synopsis and options in ssh-agent(1); usage is lowercase
ok jmc@
|
|
[auth-skey.c kex.c ssh-keygen.c session.c clientloop.c]
spaces
|
|
[ssh-keygen.1 ssh-keygen.c]
more secsh -> rfc 4716 updates;
spotted by wiz@netbsd
ok markus
|
|
|
|
[auth2-chall.c channels.c dns.c sftp.c ssh-keygen.c ssh.c]
spaces
|
|
[ssh-keygen.c]
remove small dead code; arnaud.lacombe.1@ulaval.ca via Coverity scan
|
|
- deraadt@cvs.openbsd.org 2006/11/14 19:41:04
[ssh-keygen.c]
use argc and argv not some made up short form
|
|
[auth-rsa.c kexgexc.c kexdhs.c key.c ssh-dss.c sshd.c kexgexs.c
ssh-keygen.c bufbn.c moduli.c scard.c kexdhc.c sshconnect1.c dh.c rsa.c]
add missing checks for openssl return codes; with & ok djm@
|
|
[auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c]
[auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c]
[cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c]
[dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
[kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c]
[md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c]
[scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c]
[ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c]
[sshconnect1.c sshconnect2.c sshd.c rc4.diff]
[openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c]
[openbsd-compat/port-linux.c openbsd-compat/port-solaris.c]
[openbsd-compat/port-uw.c]
Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h;
compile problems reported by rac AT tenzing.org
|
|
[OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
[auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
[auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
[auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
[buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
[cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
[compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
[groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
[kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
[key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
[monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
[monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
[readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
[serverloop.c session.c session.h sftp-client.c sftp-common.c]
[sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
[ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
[ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
[sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
[uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
[loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step
NB. portable commit contains everything *except* removing includes.h, as
that will take a fair bit more work as we move headers that are required
for portability workarounds to defines.h. (also, this step wasn't "easy")
|
|
[auth-passwd.c auth-rhosts.c auth-rsa.c auth.c auth.h auth1.c]
[auth2-chall.c auth2-pubkey.c authfile.c buffer.c canohost.c]
[channels.c clientloop.c dh.c dns.c dns.h hostfile.c kex.c kexdhc.c]
[kexgexc.c kexgexs.c key.c key.h log.c misc.c misc.h moduli.c]
[monitor_wrap.c packet.c progressmeter.c readconf.c readpass.c scp.c]
[servconf.c session.c sftp-client.c sftp-common.c sftp-server.c sftp.c]
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh.c sshconnect.c]
[sshconnect1.c sshconnect2.c sshd.c sshlogin.c sshtty.c uuencode.c]
[uuencode.h xmalloc.c]
move #include <stdio.h> out of includes.h
|
|
[authfd.c authfile.c dh.c canohost.c channels.c clientloop.c compat.c]
[hostfile.c kex.c log.c misc.c moduli.c monitor.c packet.c readpass.c]
[scp.c servconf.c session.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
[ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c sshconnect.c]
[sshconnect1.c sshd.c xmalloc.c]
move #include <stdlib.h> out of includes.h
|
|
[atomicio.c auth.c dh.c authfile.c buffer.c clientloop.c kex.c]
[groupaccess.c gss-genr.c kexgexs.c misc.c monitor.c monitor_mm.c]
[packet.c scp.c serverloop.c session.c sftp-client.c sftp-common.c]
[sftp-server.c sftp.c ssh-add.c ssh-agent.c ssh-keygen.c sshlogin.c]
[uidswap.c xmalloc.c]
move #include <sys/param.h> out of includes.h
|
|
[canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c]
[gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c]
[servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c]
[ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c]
[openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c]
[openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c]
[openbsd-compat/mktemp.c openbsd-compat/port-linux.c]
[openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
[openbsd-compat/setproctitle.c openbsd-compat/xmmap.c]
make the portable tree compile again - sprinkle unistd.h and string.h
back in. Don't redefine __unused, as it turned out to be used in
headers on Linux, and replace its use in auth-pam.c with ARGSUSED
|
|
[atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c]
[auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c]
[authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c]
[cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c]
[compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c]
[includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c]
[mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c]
[monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c]
[progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c]
[session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c]
[ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
[ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c]
[sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c]
move #include <string.h> out of includes.h
|
|
[authfd.c authfile.c channels.c cleanup.c clientloop.c groupaccess.c]
[includes.h log.c misc.c msg.c packet.c progressmeter.c readconf.c]
[readpass.c scp.c servconf.c sftp-client.c sftp-server.c sftp.c]
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c]
[sshconnect.c sshlogin.c sshpty.c uidswap.c]
move #include <unistd.h> out of includes.h
|
|
[auth-options.c canohost.c channels.c includes.h readconf.c servconf.c ssh-keyscan.c ssh.c sshconnect.c sshd.c]
move #include <netdb.h> out of includes.h; ok djm@
|
|
[scp.c auth.c monitor.c serverloop.c sftp-server.c sshpty.c readpass.c
sshd.c monitor_wrap.c monitor_fdpass.c ssh-agent.c ttymodes.c atomicio.c
includes.h session.c sshlogin.c monitor_mm.c packet.c sshconnect2.c
sftp-client.c nchan.c clientloop.c sftp.c misc.c canohost.c channels.c
ssh-keygen.c progressmeter.c uidswap.c msg.c readconf.c sshconnect.c]
move #include <errno.h> out of includes.h; ok markus@
|
|
openbsd-compat/daemon.c] Add includes needed by open(2). Conditionally
include paths.h. Fixes build error on Solaris.
|
|
[auth2-none.c authfd.c authfile.c includes.h misc.c monitor.c]
[readpass.c scp.c serverloop.c sftp-client.c sftp-server.c]
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
[sshlogin.c sshpty.c]
move #include <fcntl.h> out of includes.h
|
|
[authfd.c canohost.c clientloop.c dns.c dns.h includes.h]
[monitor_fdpass.c nchan.c packet.c servconf.c sftp.c ssh-agent.c]
[ssh-keyscan.c ssh.c sshconnect.h sshd.c sshlogin.h]
move #include <sys/socket.h> out of includes.h
|
|
[ssh-keygen.c]
move #include "dns.h" up
|
|
[auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c]
[auth-rhosts.c auth-rsa.c auth.c auth.h auth2-hostbased.c]
[auth2-pubkey.c auth2.c includes.h misc.c misc.h monitor.c]
[monitor_wrap.c monitor_wrap.h scp.c serverloop.c session.c]
[session.h sftp-common.c ssh-add.c ssh-keygen.c ssh-keysign.c]
[ssh.c sshconnect.c sshconnect.h sshd.c sshpty.c sshpty.h uidswap.c]
[uidswap.h]
move #include <pwd.h> out of includes.h; ok markus@
|
|
[scp.c sftp.c ssh-agent.c ssh-keygen.c sshconnect.c]
fix leak; coverity via Kylene Jo Hall
|
|
[ssh-keygen.c]
Correctly handle truncated files while converting keys; ok djm@
|
|
[ssh-keygen.c]
cast strtonum() result to right type
|
|
[atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c]
[auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c]
[auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
[auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c]
[buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c]
[cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c]
[deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c]
[kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c]
[mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c]
[monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c]
[readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c]
[session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c]
[sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
[ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
[sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
[uidswap.c uuencode.c xmalloc.c]
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files
|
|
[channels.c monitor.c session.c session.h ssh-agent.c ssh-keygen.c]
[ssh-rsa.c ssh.c sshlogin.c]
annoying spacing fixes getting in the way of real diffs
|
|
- jakob@cvs.openbsd.org 2006/03/15 08:46:44
[ssh-keygen.c]
if no key file are given when printing the DNS host record, use the
host key file(s) as default. ok djm@
|
|
[atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c]
[auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c]
[auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c]
[auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c]
[auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c]
[canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c]
[cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
[compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c]
[groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c]
[kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c]
[loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c]
[monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c]
[nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c]
[scard.c scp.c servconf.c serverloop.c session.c sftp-client.c]
[sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c]
[ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
[ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
[sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
[uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c]
[openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c]
[openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c]
[openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c]
[openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c]
RCSID() can die
|
|
[ssh-keygen.c]
Make ssh-keygen handle CR and CRLF line termination when converting IETF
format keys, in adition to vanilla LF. mindrot #1157, tested by Chris
Pepper, ok djm@
|
|
[clientloop.c includes.h monitor.c progressmeter.c scp.c]
[serverloop.c session.c sftp.c ssh-agent.c ssh.c sshd.c]
move #include <signal.h> out of includes.h; ok markus@
|
|
[ssh-keygen.c]
Populate default key sizes before checking them; from & ok tim@
|
|
bits == 0.
|
|
Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2,
increase minumum RSA key size to 768 bits and update man page to reflect
these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com),
ok djm@, grudging ok deraadt@.
|
|
[ssh-keygen.1 ssh-keygen.c]
generate a protocol 2 RSA key by default
|
|
[clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c]
[ssh.c sshconnect.c sshconnect1.c sshd.c]
no need to escape single quotes in comments, no binary change
|
|
[ssh-keygen.c ssh.c sshconnect2.c]
no trailing "\n" for log functions; ok djm@
|
|
- markus@cvs.openbsd.org 2005/10/07 11:13:57
[ssh-keygen.c]
change DSA default back to 1024, as it's defined for 1024 bits only
and this causes interop problems with other clients. moreover,
in order to improve the security of DSA you need to change more
components of DSA key generation (e.g. the internal SHA1 hash);
ok deraadt
|
|
[sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c
scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c]
ensure that stdio fds are attached; ok deraadt@
|
|
[auth-rh-rsa.c auth-rhosts.c auth2-chall.c auth2-gss.c channels.c]
[cipher-ctr.c gss-genr.c gss-serv.c kex.c moduli.c readconf.c]
[serverloop.c session.c sftp-client.c sftp.c ssh-add.c ssh-keygen.c]
[sshconnect.c sshconnect2.c]
knf says that a 2nd level indent is four (not three or five) spaces
|
