From 50a48d025ffc961c3f5e48f521b406d7c49681bb Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 6 Sep 2012 21:25:37 +1000 Subject: - dtucker@cvs.openbsd.org 2012/09/06 04:37:39 [clientloop.c log.c ssh.1 log.h] Add ~v and ~V escape sequences to raise and lower the logging level respectively. Man page help from jmc, ok deraadt jmc --- ssh.1 | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'ssh.1') diff --git a/ssh.1 b/ssh.1 index eaf5d83db..65342ff8f 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.326 2012/06/18 12:17:18 dtucker Exp $ -.Dd $Mdocdate: June 18 2012 $ +.\" $OpenBSD: ssh.1,v 1.327 2012/09/06 04:37:39 dtucker Exp $ +.Dd $Mdocdate: September 6 2012 $ .Dt SSH 1 .Os .Sh NAME @@ -926,6 +926,14 @@ option. .It Cm ~R Request rekeying of the connection (only useful for SSH protocol version 2 and if the peer supports it). +.It Cm ~V +Decrease the verbosity +.Pq Ic LogLevel +when errors are being written to stderr. +.It Cm ~v +Increase the verbosit +.Pq Ic LogLevel +when errors are being written to stderr. .El .Sh TCP FORWARDING Forwarding of arbitrary TCP connections over the secure channel can -- cgit v1.2.3 From 83d0af69075269769715b00c21d0debe15986bf2 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 7 Sep 2012 11:21:03 +1000 Subject: - jmc@cvs.openbsd.org 2012/09/06 13:57:42 [ssh.1] missing letter in previous; --- ChangeLog | 3 +++ ssh.1 | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index dead49719..9fb565c6e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ [clientloop.c] Make the escape command help (~?) context sensitive so that only commands that will work in the current session are shown. ok markus@ + - jmc@cvs.openbsd.org 2012/09/06 13:57:42 + [ssh.1] + missing letter in previous; 20120906 - (dtucker) OpenBSD CVS Sync diff --git a/ssh.1 b/ssh.1 index 65342ff8f..b218e11d9 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.327 2012/09/06 04:37:39 dtucker Exp $ +.\" $OpenBSD: ssh.1,v 1.328 2012/09/06 13:57:42 jmc Exp $ .Dd $Mdocdate: September 6 2012 $ .Dt SSH 1 .Os @@ -931,7 +931,7 @@ Decrease the verbosity .Pq Ic LogLevel when errors are being written to stderr. .It Cm ~v -Increase the verbosit +Increase the verbosity .Pq Ic LogLevel when errors are being written to stderr. .El -- cgit v1.2.3 From 628a3fdce25afcff19aaa981040198ccfa49e109 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 5 Oct 2012 10:50:15 +1000 Subject: - jmc@cvs.openbsd.org 2012/09/26 16:12:13 [ssh.1] last stage of rfc changes, using consistent Rs/Re blocks, and moving the references into a STANDARDS section; --- ChangeLog | 4 +++ ssh.1 | 101 +++++++++++++++++++++++++++++++++++++++++++------------------- 2 files changed, 75 insertions(+), 30 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 6f5072f15..c22e569c6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,10 @@ [sftp.c] Fix handling of filenames containing escaped globbing characters and escape "#" and "*". Patch from Jean-Marc Robert via tech@, ok djm. + - jmc@cvs.openbsd.org 2012/09/26 16:12:13 + [ssh.1] + last stage of rfc changes, using consistent Rs/Re blocks, and moving the + references into a STANDARDS section; 20120917 - (dtucker) OpenBSD CVS Sync diff --git a/ssh.1 b/ssh.1 index b218e11d9..e9bf3eaca 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.328 2012/09/06 13:57:42 jmc Exp $ -.Dd $Mdocdate: September 6 2012 $ +.\" $OpenBSD: ssh.1,v 1.329 2012/09/26 16:12:13 jmc Exp $ +.Dd $Mdocdate: September 26 2012 $ .Dt SSH 1 .Os .Sh NAME @@ -1434,77 +1434,118 @@ if an error occurred. .Xr ssh_config 5 , .Xr ssh-keysign 8 , .Xr sshd 8 +.Sh STANDARDS .Rs +.%A S. Lehtinen +.%A C. Lonvick +.%D January 2006 .%R RFC 4250 -.%T "The Secure Shell (SSH) Protocol Assigned Numbers" -.%D 2006 +.%T The Secure Shell (SSH) Protocol Assigned Numbers .Re +.Pp .Rs +.%A T. Ylonen +.%A C. Lonvick +.%D January 2006 .%R RFC 4251 -.%T "The Secure Shell (SSH) Protocol Architecture" -.%D 2006 +.%T The Secure Shell (SSH) Protocol Architecture .Re +.Pp .Rs +.%A T. Ylonen +.%A C. Lonvick +.%D January 2006 .%R RFC 4252 -.%T "The Secure Shell (SSH) Authentication Protocol" -.%D 2006 +.%T The Secure Shell (SSH) Authentication Protocol .Re +.Pp .Rs +.%A T. Ylonen +.%A C. Lonvick +.%D January 2006 .%R RFC 4253 -.%T "The Secure Shell (SSH) Transport Layer Protocol" -.%D 2006 +.%T The Secure Shell (SSH) Transport Layer Protocol .Re +.Pp .Rs +.%A T. Ylonen +.%A C. Lonvick +.%D January 2006 .%R RFC 4254 -.%T "The Secure Shell (SSH) Connection Protocol" -.%D 2006 +.%T The Secure Shell (SSH) Connection Protocol .Re +.Pp .Rs +.%A J. Schlyter +.%A W. Griffin +.%D January 2006 .%R RFC 4255 -.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints" -.%D 2006 +.%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints .Re +.Pp .Rs +.%A F. Cusack +.%A M. Forssen +.%D January 2006 .%R RFC 4256 -.%T "Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)" -.%D 2006 +.%T Generic Message Exchange Authentication for the Secure Shell Protocol (SSH) .Re +.Pp .Rs +.%A J. Galbraith +.%A P. Remaker +.%D January 2006 .%R RFC 4335 -.%T "The Secure Shell (SSH) Session Channel Break Extension" -.%D 2006 +.%T The Secure Shell (SSH) Session Channel Break Extension .Re +.Pp .Rs +.%A M. Bellare +.%A T. Kohno +.%A C. Namprempre +.%D January 2006 .%R RFC 4344 -.%T "The Secure Shell (SSH) Transport Layer Encryption Modes" -.%D 2006 +.%T The Secure Shell (SSH) Transport Layer Encryption Modes .Re +.Pp .Rs +.%A B. Harris +.%D January 2006 .%R RFC 4345 -.%T "Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol" -.%D 2006 +.%T Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol .Re +.Pp .Rs +.%A M. Friedl +.%A N. Provos +.%A W. Simpson +.%D March 2006 .%R RFC 4419 -.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol" -.%D 2006 +.%T Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol .Re +.Pp .Rs +.%A J. Galbraith +.%A R. Thayer +.%D November 2006 .%R RFC 4716 -.%T "The Secure Shell (SSH) Public Key File Format" -.%D 2006 +.%T The Secure Shell (SSH) Public Key File Format .Re +.Pp .Rs +.%A D. Stebila +.%A J. Green +.%D December 2009 .%R RFC 5656 -.%T "Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer" -.%D 2009 +.%T Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer .Re +.Pp .Rs -.%T "Hash Visualization: a New Technique to improve Real-World Security" .%A A. Perrig .%A D. Song .%D 1999 -.%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)" +.%O International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99) +.%T Hash Visualization: a New Technique to improve Real-World Security .Re .Sh AUTHORS OpenSSH is a derivative of the original and free -- cgit v1.2.3 From 427e409e99d465118fbc2f7c1ca2c5d44365f5a8 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 5 Oct 2012 11:02:39 +1000 Subject: - markus@cvs.openbsd.org 2012/10/04 13:21:50 [myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c] add umac128 variant; ok djm@ at n2k12 (note: further Makefile work is required) --- ChangeLog | 3 +++ mac.c | 15 ++++++++++++++- myproposal.h | 3 ++- ssh.1 | 6 +++--- ssh_config.5 | 6 +++--- sshd.8 | 6 +++--- sshd_config.5 | 6 +++--- umac.h | 8 +++++++- 8 files changed, 38 insertions(+), 15 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index e4899f36e..cb28e777d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,9 @@ - djm@cvs.openbsd.org 2012/10/02 07:07:45 [ssh-keygen.c] fix -z option, broken in revision 1.215 + - markus@cvs.openbsd.org 2012/10/04 13:21:50 + [myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c] + add umac128 variant; ok djm@ at n2k12 20120917 - (dtucker) OpenBSD CVS Sync diff --git a/mac.c b/mac.c index 9b450e4e2..47db127f5 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.18 2012/06/28 05:07:45 dtucker Exp $ */ +/* $OpenBSD: mac.c,v 1.19 2012/10/04 13:21:50 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -48,6 +48,7 @@ #define SSH_EVP 1 /* OpenSSL EVP-based MAC */ #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ +#define SSH_UMAC128 3 struct { char *name; @@ -68,6 +69,7 @@ struct { { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, { "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, { "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64 }, + { "umac-128@openssh.com", SSH_UMAC128, NULL, 0, 128, 128 }, { NULL, 0, NULL, 0, -1, -1 } }; @@ -122,6 +124,9 @@ mac_init(Mac *mac) case SSH_UMAC: mac->umac_ctx = umac_new(mac->key); return 0; + case SSH_UMAC128: + mac->umac_ctx = umac128_new(mac->key); + return 0; default: return -1; } @@ -151,6 +156,11 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) umac_update(mac->umac_ctx, data, datalen); umac_final(mac->umac_ctx, m, nonce); break; + case SSH_UMAC128: + put_u64(nonce, seqno); + umac128_update(mac->umac_ctx, data, datalen); + umac128_final(mac->umac_ctx, m, nonce); + break; default: fatal("mac_compute: unknown MAC type"); } @@ -163,6 +173,9 @@ mac_clear(Mac *mac) if (mac->type == SSH_UMAC) { if (mac->umac_ctx != NULL) umac_delete(mac->umac_ctx); + } else if (mac->type == SSH_UMAC128) { + if (mac->umac_ctx != NULL) + umac128_delete(mac->umac_ctx); } else if (mac->evp_md != NULL) HMAC_cleanup(&mac->evp_ctx); mac->evp_md = NULL; diff --git a/myproposal.h b/myproposal.h index b9b819c0a..996c40765 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.29 2012/06/28 05:07:45 dtucker Exp $ */ +/* $OpenBSD: myproposal.h,v 1.30 2012/10/04 13:21:50 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -86,6 +86,7 @@ "hmac-md5," \ "hmac-sha1," \ "umac-64@openssh.com," \ ++ "umac-128@openssh.com," \ SHA2_HMAC_MODES \ "hmac-ripemd160," \ "hmac-ripemd160@openssh.com," \ diff --git a/ssh.1 b/ssh.1 index e9bf3eaca..a5576edb6 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.329 2012/09/26 16:12:13 jmc Exp $ -.Dd $Mdocdate: September 26 2012 $ +.\" $OpenBSD: ssh.1,v 1.330 2012/10/04 13:21:50 markus Exp $ +.Dd $Mdocdate: October 4 2012 $ .Dt SSH 1 .Os .Sh NAME @@ -674,7 +674,7 @@ it provides additional mechanisms for confidentiality (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and integrity (hmac-md5, hmac-sha1, hmac-sha2-256, hmac-sha2-512, -umac-64, hmac-ripemd160). +umac-64, umac-128, hmac-ripemd160). Protocol 1 lacks a strong mechanism for ensuring the integrity of the connection. .Pp diff --git a/ssh_config.5 b/ssh_config.5 index 36b1af195..d3e801df0 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.157 2012/06/29 13:57:25 naddy Exp $ -.Dd $Mdocdate: June 29 2012 $ +.\" $OpenBSD: ssh_config.5,v 1.158 2012/10/04 13:21:50 markus Exp $ +.Dd $Mdocdate: October 4 2012 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -792,7 +792,7 @@ for data integrity protection. Multiple algorithms must be comma-separated. The default is: .Bd -literal -offset indent -hmac-md5,hmac-sha1,umac-64@openssh.com, +hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-sha1-96,hmac-md5-96 .Ed diff --git a/sshd.8 b/sshd.8 index a1a74d86a..132397839 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.266 2012/06/18 12:07:07 dtucker Exp $ -.Dd $Mdocdate: June 18 2012 $ +.\" $OpenBSD: sshd.8,v 1.267 2012/10/04 13:21:50 markus Exp $ +.Dd $Mdocdate: October 4 2012 $ .Dt SSHD 8 .Os .Sh NAME @@ -316,7 +316,7 @@ The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided through a cryptographic message authentication code -(hmac-md5, hmac-sha1, umac-64, hmac-ripemd160, +(hmac-md5, hmac-sha1, umac-64, umac-128, hmac-ripemd160, hmac-sha2-256 or hmac-sha2-512). .Pp Finally, the server and the client enter an authentication dialog. diff --git a/sshd_config.5 b/sshd_config.5 index 314ecfb0e..987558ae8 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.144 2012/06/29 13:57:25 naddy Exp $ -.Dd $Mdocdate: June 29 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.145 2012/10/04 13:21:50 markus Exp $ +.Dd $Mdocdate: October 4 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -656,7 +656,7 @@ for data integrity protection. Multiple algorithms must be comma-separated. The default is: .Bd -literal -offset indent -hmac-md5,hmac-sha1,umac-64@openssh.com, +hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-sha1-96,hmac-md5-96 .Ed diff --git a/umac.h b/umac.h index 055c705f8..6795112a3 100644 --- a/umac.h +++ b/umac.h @@ -1,4 +1,4 @@ -/* $OpenBSD: umac.h,v 1.1 2007/06/07 19:37:34 pvalchev Exp $ */ +/* $OpenBSD: umac.h,v 1.2 2012/10/04 13:21:50 markus Exp $ */ /* ----------------------------------------------------------------------- * * umac.h -- C Implementation UMAC Message Authentication @@ -116,6 +116,12 @@ int uhash(uhash_ctx_t ctx, #endif +/* matching umac-128 API, we reuse umac_ctx, since it's opaque */ +struct umac_ctx *umac128_new(u_char key[]); +int umac128_update(struct umac_ctx *ctx, u_char *input, long len); +int umac128_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]); +int umac128_delete(struct umac_ctx *ctx); + #ifdef __cplusplus } #endif -- cgit v1.2.3