Age | Commit message (Collapse) | Author |
|
- djm@cvs.openbsd.org 2003/06/04 08:25:18
[sshconnect.c]
disable challenge/response and keyboard-interactive auth methods
upon hostkey mismatch. based on patch from fcusack AT fcusack.com.
bz #580; ok markus@
|
|
[sshconnect.c]
fix format strings; ok markus@
|
|
[sshconnect.c]
fix leak; ok markus@
|
|
[readconf.c readconf.h ssh_config ssh_config.5 sshconnect.c]
add a ConnectTimeout option to ssh, based on patch from
Jean-Charles Longuet (jclonguet at free.fr); portable #207 ok markus@
|
|
[key.c key.h readconf.c readconf.h ssh_config.5 sshconnect.c]
[dns.c dns.h README.dns ssh-keygen.1 ssh-keygen.c]
add experimental support for verifying hos keys using DNS as described
in draft-ietf-secsh-dns-xx.txt. more information in README.dns.
ok markus@ and henning@
|
|
[channels.c sshconnect.c sshd.c ssh-keyscan.c]
avoid hardcoded SOCK_xx; with itojun@; should allow ssh over SCTP
|
|
|
|
|
|
[auth-krb5.c auth1.c hostfile.h monitor_wrap.c sftp-client.c sftp-int.c ssh-add.c ssh-rsa.c
sshconnect.c]
KNF
|
|
[cipher.c kex.c packet.c sshconnect.c sshconnect2.c]
debug->debug2, unify debug messages
|
|
[ssh.c sshconnect.c]
bugzilla.mindrot.org #223 - ProxyCommands don't exit.
Patch from dtucker@zip.com.au; ok markus@
|
|
[channels.c sshconnect.c sshd.c]
remove use of SO_LINGER, it should not be needed. error check
SO_REUSEADDR. fixup comments. ok markus@
|
|
[sshconnect.c]
print file:line
|
|
[hostfile.c hostfile.h sshconnect.c]
print out all known keys for a host if we get a unknown host key,
see discussion at http://marc.theaimsgroup.com/?t=101069210100016&r=1&w=4
the ssharp mitm tool attacks users in a similar way, so i'd like to
pointed out again:
A MITM attack is always possible if the ssh client prints:
The authenticity of host 'bla' can't be established.
(protocol version 2 with pubkey authentication allows you to detect
MITM attacks)
|
|
[sshconnect.c]
print connect failure during debugging mode.
|
|
[sshconnect.c]
bark if all connection attempt fails.
|
|
[sshconnect.c]
ed static function (less warnings)
|
|
[sshconnect.c]
silently try next address on connect(2). markus ok
|
|
[dh.c ssh-keyscan.c sshconnect.c]
more checks for NULL pointers; from grendel@zeitbombe.org; ok deraadt@
|
|
[scard.c ssh-dss.c ssh-rsa.c sshconnect.c sshconnect2.c sshd.c sshlogin.c
sshpty.c]
various KNF and %d for unsigned
|
|
[auth-bsdauth.c auth-skey.c auth1.c auth2-chall.c auth2-none.c authfd.c
authfd.h monitor_wrap.c msg.c nchan.c radix.c readconf.c scp.c sftp.1
ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c
ssh-keysign.c ssh.1 sshconnect.c sshconnect.h sshconnect2.c ttymodes.c
xmalloc.h]
KNF done automatically while reading....
|
|
[ssh.c sshconnect.c sshconnect.h]
no longer use uidswap.[ch] from the ssh client
run less code with euid==0 if ssh is installed setuid root
just switch the euid, don't switch the complete set of groups
(this is only needed by sshd). ok provos@
|
|
[sshconnect.c]
pass salen to sockaddr_ntop so that we are happy on linux/solaris
|
|
[sshconnect.c]
abort() - > fatal()
|
|
[sshconnect.c]
always use getnameinfo. (diag message only)
|
|
[authfile.c authfile.h pathnames.h ssh.c sshconnect.c sshconnect.h
sshconnect1.c sshconnect2.c ssh-keysign.8 ssh-keysign.c Makefile.in]
add /usr/libexec/ssh-keysign: a setuid helper program for hostbased
authentication in protocol v2 (needs to access the hostkeys).
Note: Makefile.in untested. Will test after merge is finished.
|
|
|
|
[sshconnect.c]
use read_passphrase+ECHO in confirm(), allows use of ssh-askpass
for hostkey confirm.
|
|
[auth1.c auth2.c auth2-chall.c auth-bsdauth.c auth.c authfile.c auth.h]
[auth-krb4.c auth-rhosts.c auth-skey.c bufaux.c canohost.c channels.c]
[cipher.c clientloop.c compat.c compress.c deattack.c key.c log.c mac.c]
[match.c misc.c nchan.c packet.c readconf.c rijndael.c rijndael.h scard.c]
[servconf.c servconf.h serverloop.c session.c sftp.c sftp-client.c]
[sftp-glob.c sftp-int.c sftp-server.c ssh-add.c ssh-agent.c ssh.c]
[sshconnect1.c sshconnect2.c sshconnect.c sshd.8 sshd.c sshd_config]
[ssh-keygen.c sshlogin.c sshpty.c sshtty.c ttymodes.c uidswap.c]
basic KNF done while i was looking for something else
|
|
[channels.c sshconnect.c]
shutdown(sock, SHUT_RDWR) not needed here; ok markus@
|
|
[authfd.c authfile.c bufaux.c channels.c compat.c kex.c kexgex.c
key.c misc.c packet.c servconf.c ssh-agent.c sshconnect2.c
sshconnect.c sshd.c ssh-dss.c ssh-keygen.c ssh-rsa.c]
minor KNF
|
|
[session.c]
chdir $HOME after krb_afslog(); from bbense@networking.stanford.edu
|
|
[sshconnect.c]
use correct family for -b option
|
|
[sshconnect1.c sshconnect2.c sshconnect.c]
unify hostkey check error messages, simplify prompt.
|
|
[sshconnect.c]
remove unused argument
|
|
[readconf.c readconf.h ssh.1 sshconnect.c]
add NoHostAuthenticationForLocalhost; note that the hostkey is
now check for localhost, too.
|
|
openbsd-compat/openbsd-compat.h ] Add inet_ntop.c inet_ntop.h back
in. Needed for sshconnect.c
[sshconnect.c] fix INET6_ADDRSTRLEN for non IPv6 machines
[configure.in] make tests with missing libraries fail
patch by Wendy Palm <wendyp@cray.com>
Added openbsd-compat/bsd-cray.h. Selective patches from
William L. Jones <jones@mail.utexas.edu>
|
|
[readconf.c ssh.1 ssh.c sshconnect.c]
cleanup connect(); connection_attempts 4 -> 1; from
eivind@freebsd.org
|
|
[auth1.c auth2.c auth2-chall.c authfd.c authfile.c auth-rhosts.c
canohost.c channels.c cipher.c clientloop.c deattack.c dh.c
hostfile.c kex.c kexdh.c kexgex.c key.c nchan.c packet.c radix.c
readpass.c scp.c servconf.c serverloop.c session.c sftp.c
sftp-client.c sftp-glob.c sftp-int.c sftp-server.c ssh-add.c
ssh-agent.c ssh.c sshconnect1.c sshconnect2.c sshconnect.c sshd.c
ssh-keygen.c ssh-keyscan.c]
more strict prototypes. raise warning level in Makefile.inc.
markus ok'ed
TODO; cleanup headers
|
|
[kexdh.c kexgex.c kex.h pathnames.h readconf.c servconf.h ssh.1
sshconnect1.c sshconnect2.c sshconnect.c sshconnect.h sshd.8]
get rid of known_hosts2, use it for hostkey lookup, but do not
modify.
|
|
[authfd.c authfile.c channels.c kexdh.c kexgex.c packet.c ssh.c
sshconnect.c sshconnect1.c]
use xxx_put_cstring()
|
|
[packet.c packet.h sshconnect.c sshd.c]
remove some lines, simplify.
|
|
[readconf.c readconf.h ssh.1 ssh.c sshconnect.c]
implement 'ssh -b bind_address' like 'telnet -b'
|
|
[auth-rhosts.c auth.h auth2.c buffer.c canohost.c canohost.h
compat.c compat.h hostfile.c pathnames.h readconf.c readconf.h
servconf.c servconf.h ssh.c sshconnect.c sshconnect.h sshconnect1.c
sshconnect2.c sshd_config]
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2)
similar to RhostRSAAuthentication unless you enable (the experimental)
HostbasedUsesNameFromPacketOnly option. please test. :)
|
|
[auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth2.c channels.c session.c
ssh.c sshconnect.c sshconnect.h uidswap.c uidswap.h]
do gid/groups-swap in addition to uid-swap, should help if /home/group
is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks
to olar@openwall.com is comments. we had many requests for this.
|
|
[auth-chall.c authfd.c channels.c clientloop.c kex.c kexgex.c key.c
mac.c packet.c serverloop.c sftp-client.c sftp-client.h sftp-glob.c
sftp-glob.h sftp-int.c sftp-server.c sftp.c ssh-keygen.c sshconnect.c
sshconnect2.c sshd.c]
fix whitespace: unexpand + trailing spaces.
|
|
[authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c
sshconnect.h sshconnect1.c sshconnect2.c sshd.c]
simpler key load/save interface, see authfile.h
|
|
- markus@cvs.openbsd.org 2001/03/12 22:02:02
[key.c key.h ssh-add.c ssh-keygen.c sshconnect.c sshconnect2.c]
remove old key_fingerprint interface, s/_ex//
|
|
[compat.c compat.h sshconnect.c]
all known netscreen ssh versions, and older versions of OSU ssh cannot
handle password padding (newer OSU is fixed)
|
|
[authfd.c channels.c dh.c log.c readconf.c servconf.c sftp-int.c
ssh.c sshconnect.c sshd.c]
log functions should not be passed strings that end in newline as they
get passed on to syslog() and when logging to stderr, do_log() appends
its own newline.
|