Age | Commit message (Collapse) | Author |
|
[auth1.c auth-rsa.c channels.c dispatch.c kex.c kexdh.c kexgex.c packet.c packet.h serverloop.c session.c ssh.c sshconnect1.c sshconnect2.c sshd.c]
packet_read* no longer return the packet length, since it's not used.
|
|
[auth1.c auth-rsa.c channels.c clientloop.c packet.c packet.h serverloop.c session.c ssh.c sshconnect1.c sshd.c ttymodes.c]
get rid of packet_integrity_check, use packet_done() instead.
|
|
[auth2.c auth2-chall.c channels.c channels.h clientloop.c dispatch.c]
[dispatch.h kex.c kex.h packet.c packet.h serverloop.c ssh.c]
[sshconnect2.c]
Conformance fix: we should send failing packet sequence number when
responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by
yakk@yakk.dot.net; ok markus@
|
|
[auth1.c auth2.c auth2-chall.c auth-bsdauth.c auth.c authfile.c auth.h]
[auth-krb4.c auth-rhosts.c auth-skey.c bufaux.c canohost.c channels.c]
[cipher.c clientloop.c compat.c compress.c deattack.c key.c log.c mac.c]
[match.c misc.c nchan.c packet.c readconf.c rijndael.c rijndael.h scard.c]
[servconf.c servconf.h serverloop.c session.c sftp.c sftp-client.c]
[sftp-glob.c sftp-int.c sftp-server.c ssh-add.c ssh-agent.c ssh.c]
[sshconnect1.c sshconnect2.c sshconnect.c sshd.8 sshd.c sshd_config]
[ssh-keygen.c sshlogin.c sshpty.c sshtty.c ttymodes.c uidswap.c]
basic KNF done while i was looking for something else
|
|
[authfd.c authfile.c bufaux.c channels.c compat.c kex.c kexgex.c
key.c misc.c packet.c servconf.c ssh-agent.c sshconnect2.c
sshconnect.c sshd.c ssh-dss.c ssh-keygen.c ssh-rsa.c]
minor KNF
|
|
[auth1.c auth2.c canohost.c channels.c deattack.c packet.c scp.c
sshconnect2.c]
make it compile with more strict prototype checking
|
|
[packet.c packet.h sshconnect2.c]
pad using the padding field from the ssh2 packet instead of sending
extra ignore messages. tested against several other ssh servers.
|
|
[sshconnect2.c]
hostbased: check for client hostkey before building chost
|
|
[sshconnect1.c sshconnect2.c sshconnect.c]
unify hostkey check error messages, simplify prompt.
|
|
[sshconnect2.c]
disable kbd-interactive if we don't get
SSH2_MSG_USERAUTH_INFO_REQUEST messages
|
|
[sshconnect2.c]
reorder default sequence of userauth methods to match ssh behaviour:
hostbased,publickey,keyboard-interactive,password
|
|
[key.c key.h ssh.c sshconnect1.c sshconnect2.c]
add smartcard support to the client, too (now you can use both
the agent and the client).
|
|
[auth2.c sshconnect2.c]
prototype cleanup; ok markus@
|
|
[sshconnect2.c]
oops, missing format string
|
|
[readpass.c readpass.h ssh-add.c sshconnect2.c ssh-keygen.c]
switch to readpassphrase(3)
2.7/8-stable needs readpassphrase.[ch] from libc
|
|
[auth1.c auth2.c auth2-chall.c authfd.c authfile.c auth-rhosts.c
canohost.c channels.c cipher.c clientloop.c deattack.c dh.c
hostfile.c kex.c kexdh.c kexgex.c key.c nchan.c packet.c radix.c
readpass.c scp.c servconf.c serverloop.c session.c sftp.c
sftp-client.c sftp-glob.c sftp-int.c sftp-server.c ssh-add.c
ssh-agent.c ssh.c sshconnect1.c sshconnect2.c sshconnect.c sshd.c
ssh-keygen.c ssh-keyscan.c]
more strict prototypes. raise warning level in Makefile.inc.
markus ok'ed
TODO; cleanup headers
|
|
[kexdh.c kexgex.c kex.h pathnames.h readconf.c servconf.h ssh.1
sshconnect1.c sshconnect2.c sshconnect.c sshconnect.h sshd.8]
get rid of known_hosts2, use it for hostkey lookup, but do not
modify.
|
|
[ssh.1 sshconnect2.c]
change preferredauthentication order to
publickey,hostbased,password,keyboard-interactive
document that hostbased defaults to no, document order
|
|
[auth-chall.c auth.h auth1.c auth2-chall.c auth2.c readconf.c
readconf.h servconf.c servconf.h sshconnect1.c sshconnect2.c sshd.c]
improved kbd-interactive support. work by per@appgate.com and me
|
|
[auth2.c compat.c sshconnect2.c]
more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now
(however the 2.1.0 server seems to work only if debug is enabled...)
|
|
[auth2.c sshconnect2.c]
use FDQN with trailing dot in the hostbased auth packets, ok deraadt@
|
|
[key.c key.h readconf.c readconf.h ssh.1 sshconnect2.c]
add HostKeyAlgorithms; based on patch from res@shore.net; ok provos@
|
|
[dh.c sftp-glob.c sftp-glob.h sftp-int.c sshconnect2.c sshd.c]
some unused variable and typos; from tomh@po.crl.go.jp
|
|
[auth-rhosts.c auth.h auth2.c buffer.c canohost.c canohost.h
compat.c compat.h hostfile.c pathnames.h readconf.c readconf.h
servconf.c servconf.h ssh.c sshconnect.c sshconnect.h sshconnect1.c
sshconnect2.c sshd_config]
implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2)
similar to RhostRSAAuthentication unless you enable (the experimental)
HostbasedUsesNameFromPacketOnly option. please test. :)
|
|
[auth-chall.c authfd.c channels.c clientloop.c kex.c kexgex.c key.c
mac.c packet.c serverloop.c sftp-client.c sftp-client.h sftp-glob.c
sftp-glob.h sftp-int.c sftp-server.c sftp.c ssh-keygen.c sshconnect.c
sshconnect2.c sshd.c]
fix whitespace: unexpand + trailing spaces.
|
|
[channels.c channels.h clientloop.c kex.c kex.h serverloop.c
sshconnect2.c sshd.c]
more robust rekeying
don't send channel data after rekeying is started.
|
|
[clientloop.c kex.c kex.h serverloop.c sshconnect2.c sshd.c]
enable server side rekeying + some rekey related clientup.
todo: we should not send any non-KEX messages after we send KEXINIT
|
|
[kex.c kex.h kexdh.c kexgex.c packet.c sshconnect2.c sshd.c]
don't sent multiple kexinit-requests.
send newkeys, block while waiting for newkeys.
fix comments.
|
|
[clientloop.c sshconnect2.c]
enable client rekeying
(1) force rekeying with ~R, or
(2) if the server requests rekeying.
works against ssh-2.0.12/2.0.13/2.1.0/2.2.0/2.3.0/2.3.1/2.4.0
|
|
[kex.c kex.h packet.c sshconnect2.c sshd.c]
undo parts of recent my changes: main part of keyexchange does not
need dispatch-callbacks, since application data is delayed until
the keyexchange completes (if i understand the drafts correctly).
add some infrastructure for re-keying.
|
|
[dh.c dh.h kex.c kex.h sshconnect2.c sshd.c]
move kex to kex*.c, used dispatch_set() callbacks for kex. should
make rekeying easier.
|
|
- stevesk@cvs.openbsd.org 2001/03/29 21:06:21
[sshconnect2.c sshd.c]
need to set both STOC and CTOS for SSH_BUG_BIGENDIANAES; ok markus@
|
|
- provos@cvs.openbsd.org 2001/03/29 14:24:59
[sshconnect2.c]
use recommended defaults
|
|
- provos@cvs.openbsd.org 2001/03/28 21:59:41
[kex.c kex.h sshconnect2.c sshd.c]
forgot to include min and max params in hash, okay markus@
|
|
[compat.c compat.h dh.c dh.h ssh2.h sshconnect2.c sshd.c version.h]
make dh group exchange more flexible, allow min and max group size,
okay markus@, deraadt@
|
|
[authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c
sshconnect.h sshconnect1.c sshconnect2.c sshd.c]
simpler key load/save interface, see authfile.h
|
|
[compat.c compat.h sshconnect2.c sshd.c]
Compat for OpenSSH with broken Rijndael/AES. ok markus@
|
|
- markus@cvs.openbsd.org 2001/03/12 22:02:02
[key.c key.h ssh-add.c ssh-keygen.c sshconnect.c sshconnect2.c]
remove old key_fingerprint interface, s/_ex//
|
|
[kex.c match.c match.h readconf.c readconf.h sshconnect2.c]
add PreferredAuthentications
|
|
[sshconnect2.c]
ignore nonexisting private keys; report rjmooney@mediaone.net
|
|
[compat.c compat.h readconf.h ssh.c sshconnect1.c sshconnect2.c]
implement client side of SSH2_MSG_USERAUTH_PK_OK (test public key ->
no need to do enter passphrase or do expensive sign operations if the
server does not accept key).
|
|
[kex.c kex.h sshconnect2.c sshd.c]
generate a 2*need size (~300 instead of 1024/2048) random private
exponent during the DH key agreement. according to Niels (the great
german advisor) this is safe since /etc/primes contains strong
primes only.
References:
P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key
agreement with short exponents, In Advances in Cryptology
- EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
|
|
[packet.c packet.h sshconnect2.c]
in ssh protocol v2 use ignore messages for padding (instead of
trailing \0).
|
|
- markus@cvs.openbsd.org 2001/02/15 16:19:59
[channels.c channels.h serverloop.c sshconnect.c sshconnect.h]
[sshconnect1.c sshconnect2.c]
genericize password padding function for SSH1 and SSH2.
add stylized echo to 2, too.
- (djm) Add roundup() macro to defines.h
|
|
[Makefile.in sshd.8 sshconnect2.c readconf.h readconf.c packet.c
sshd.c ssh.c ssh.1 servconf.h servconf.c myproposal.h kex.h kex.c]
1) clean up the MAC support for SSH-2
2) allow you to specify the MAC with 'ssh -m'
3) or the 'MACs' keyword in ssh(d)_config
4) add hmac-{md5,sha1}-96
ok stevesk@, provos@
|
|
[sshconnect2.c]
do not ask for passphrase in batch mode; report from ejb@ql.org
- itojun@cvs.opebsd.org 2001/02/08 10:47:05
[sshconnect2.c]
%.30s is too short for IPv6 numeric address. use %.128s for now.
markus ok
- markus@cvs.openbsd.org 2001/02/09 12:28:35
[sshconnect2.c]
do not free twice, thanks to /etc/malloc.conf
- markus@cvs.openbsd.org 2001/02/09 17:10:53
[sshconnect2.c]
partial success: debug->log; "Permission denied" if no more auth methods
- markus@cvs.openbsd.org 2001/02/10 12:09:21
[sshconnect2.c]
remove some lines
|
|
[sshconnect2.c]
unused
|
|
[many files; did this manually to our top-level source dir]
unexpand and remove end-of-line whitespace; ok markus@
|
|
[auth1.c auth2.c readconf.c readconf.h servconf.c servconf.h
sshconnect1.c sshconnect2.c sshd.c]
rename skey -> challenge response.
auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
|
|
- markus@cvs.openbsd.org 2001/01/22 8:15:00
[auth-krb4.c sshconnect1.c]
only AFS needs radix.[ch]
- markus@cvs.openbsd.org 2001/01/22 8:32:53
[auth2.c]
no need to include; from mouring@etoh.eviladmin.org
- stevesk@cvs.openbsd.org 2001/01/22 16:55:21
[key.c]
free() -> xfree(); ok markus@
- stevesk@cvs.openbsd.org 2001/01/22 17:22:28
[sshconnect2.c sshd.c]
fix memory leaks in SSH2 key exchange; ok markus@
|