From eb8b60e320cdade9f4c07e2abacfb92c52e01348 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 31 Aug 2010 22:41:14 +1000 Subject: - djm@cvs.openbsd.org 2010/08/31 11:54:45 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c] [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c] [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c] [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c] [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h] [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5] [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@ --- ssh-agent.1 | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'ssh-agent.1') diff --git a/ssh-agent.1 b/ssh-agent.1 index f65e8e625..88ad490bc 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.50 2010/01/17 21:49:09 tedu Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.51 2010/08/31 11:54:45 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 17 2010 $ +.Dd $Mdocdate: August 31 2010 $ .Dt SSH-AGENT 1 .Os .Sh NAME @@ -53,7 +53,7 @@ .Sh DESCRIPTION .Nm is a program to hold private keys used for public key authentication -(RSA, DSA). +(RSA, DSA, ECDSA). The idea is that .Nm is started in the beginning of an X-session or a login session, and @@ -114,7 +114,8 @@ When executed without arguments, .Xr ssh-add 1 adds the files .Pa ~/.ssh/id_rsa , -.Pa ~/.ssh/id_dsa +.Pa ~/.ssh/id_dsa , +.Pa ~/.ssh/id_ecdsa and .Pa ~/.ssh/identity . If the identity has a passphrase, @@ -187,6 +188,8 @@ line terminates. Contains the protocol version 1 RSA authentication identity of the user. .It Pa ~/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. +.It Pa ~/.ssh/id_ecdsa +Contains the protocol version 2 ECDSA authentication identity of the user. .It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. .It Pa /tmp/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt -- cgit v1.2.3 From de735ea3bddf5813aabd76de18151e55172626b3 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 10 Sep 2010 11:12:38 +1000 Subject: - jmc@cvs.openbsd.org 2010/08/31 17:40:54 [ssh-agent.1] fix some macro abuse; --- ChangeLog | 3 +++ ssh-agent.1 | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'ssh-agent.1') diff --git a/ChangeLog b/ChangeLog index 594ebc24c..50dd15954 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ engineering: OpenSSL_add_all_algorithms is the name of the function we have a man page for, so use that. ok djm + - jmc@cvs.openbsd.org 2010/08/31 17:40:54 + [ssh-agent.1] + fix some macro abuse; 20100831 - OpenBSD CVS Sync diff --git a/ssh-agent.1 b/ssh-agent.1 index 88ad490bc..134b93ae9 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.51 2010/08/31 11:54:45 djm Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.52 2010/08/31 17:40:54 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -42,13 +42,13 @@ .Nd authentication agent .Sh SYNOPSIS .Nm ssh-agent -.Op Fl c Li | Fl s +.Op Fl c | s .Op Fl d .Op Fl a Ar bind_address .Op Fl t Ar life .Op Ar command Op Ar arg ... .Nm ssh-agent -.Op Fl c Li | Fl s +.Op Fl c | s .Fl k .Sh DESCRIPTION .Nm -- cgit v1.2.3 From 2cd629349d9fc4067985fec04b23bfb5ff7aa8d8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 1 Dec 2010 11:50:35 +1100 Subject: - djm@cvs.openbsd.org 2010/11/21 01:01:13 [clientloop.c misc.c misc.h ssh-agent.1 ssh-agent.c] honour $TMPDIR for client xauth and ssh-agent temporary directories; feedback and ok markus@ --- ChangeLog | 4 ++++ clientloop.c | 4 ++-- misc.c | 19 ++++++++++++++++++- misc.h | 3 ++- ssh-agent.1 | 8 ++++---- ssh-agent.c | 4 ++-- 6 files changed, 32 insertions(+), 10 deletions(-) (limited to 'ssh-agent.1') diff --git a/ChangeLog b/ChangeLog index 05d9962ff..09e5ee805 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ - deraadt@cvs.openbsd.org 2010/11/20 05:12:38 [auth2-pubkey.c] clean up cases of ;; + - djm@cvs.openbsd.org 2010/11/21 01:01:13 + [clientloop.c misc.c misc.h ssh-agent.1 ssh-agent.c] + honour $TMPDIR for client xauth and ssh-agent temporary directories; + feedback and ok markus@ 20101124 - (dtucker) [platform.c session.c] Move the getluid call out of session.c and diff --git a/clientloop.c b/clientloop.c index 52dcb4c04..076386cc2 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.224 2010/11/13 23:27:50 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.225 2010/11/21 01:01:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -325,7 +325,7 @@ client_x11_get_proto(const char *display, const char *xauth_path, if (trusted == 0) { xauthdir = xmalloc(MAXPATHLEN); xauthfile = xmalloc(MAXPATHLEN); - strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN); + mktemp_proto(xauthdir, MAXPATHLEN); if (mkdtemp(xauthdir) != NULL) { do_unlink = 1; snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile", diff --git a/misc.c b/misc.c index b88f5aaa8..1c57ce0ac 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.83 2010/11/13 23:27:50 djm Exp $ */ +/* $OpenBSD: misc.c,v 1.84 2010/11/21 01:01:13 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -916,6 +916,23 @@ bandwidth_limit(struct bwlimit *bw, size_t read_len) gettimeofday(&bw->bwstart, NULL); } +/* Make a template filename for mk[sd]temp() */ +void +mktemp_proto(char *s, size_t len) +{ + const char *tmpdir; + int r; + + if ((tmpdir = getenv("TMPDIR")) != NULL) { + r = snprintf(s, len, "%s/ssh-XXXXXXXXXXXX", tmpdir); + if (r > 0 && (size_t)r < len) + return; + } + r = snprintf(s, len, "/tmp/ssh-XXXXXXXXXXXX"); + if (r < 0 || (size_t)r >= len) + fatal("%s: template string too short", __func__); +} + static const struct { const char *name; int value; diff --git a/misc.h b/misc.h index a81ace309..65cf4a616 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.46 2010/11/13 23:27:50 djm Exp $ */ +/* $OpenBSD: misc.h,v 1.47 2010/11/21 01:01:13 djm Exp $ */ /* * Author: Tatu Ylonen @@ -89,6 +89,7 @@ void bandwidth_limit_init(struct bwlimit *, u_int64_t, size_t); void bandwidth_limit(struct bwlimit *, size_t); int parse_ipqos(const char *); +void mktemp_proto(char *, size_t); /* readpass.c */ diff --git a/ssh-agent.1 b/ssh-agent.1 index 134b93ae9..bb801c902 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.52 2010/08/31 17:40:54 jmc Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.53 2010/11/21 01:01:13 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 31 2010 $ +.Dd $Mdocdate: November 21 2010 $ .Dt SSH-AGENT 1 .Os .Sh NAME @@ -72,7 +72,7 @@ Bind the agent to the socket .Ar bind_address . The default is -.Pa /tmp/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt . +.Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt . .It Fl c Generate C-shell commands on .Dv stdout . @@ -192,7 +192,7 @@ Contains the protocol version 2 DSA authentication identity of the user. Contains the protocol version 2 ECDSA authentication identity of the user. .It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. -.It Pa /tmp/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt +.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt .Ux Ns -domain sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. diff --git a/ssh-agent.c b/ssh-agent.c index a978d293b..afba413d7 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.170 2010/08/31 12:33:38 djm Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.171 2010/11/21 01:01:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1232,7 +1232,7 @@ main(int ac, char **av) if (agentsocket == NULL) { /* Create private directory for agent socket */ - strlcpy(socket_dir, "/tmp/ssh-XXXXXXXXXX", sizeof socket_dir); + mktemp_proto(socket_dir, sizeof(socket_dir)); if (mkdtemp(socket_dir) == NULL) { perror("mkdtemp: private socket dir"); exit(1); -- cgit v1.2.3