Damien Miller [Sun, 7 Mar 2010 22:24:11 +0000 (09:24 +1100)]
- djm@cvs.openbsd.org 2010/03/07 22:16:01
[ssh-keygen.c]
make internal strptime string match strftime format;
suggested by vinschen AT redhat.com and markus@
Darren Tucker [Sun, 7 Mar 2010 12:05:17 +0000 (23:05 +1100)]
- dtucker@cvs.openbsd.org 2010/03/07 11:57:13
[auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c]
Hold authentication debug messages until after successful authentication.
Fixes an info leak of environment variables specified in authorized_keys,
reported by Jacob Appelbaum. ok djm@
Darren Tucker [Sun, 7 Mar 2010 02:21:12 +0000 (13:21 +1100)]
- (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and
do not set real uid, since that's needed for the chroot, and will be set
by permanently_set_uid.
Darren Tucker [Sun, 7 Mar 2010 00:56:59 +0000 (11:56 +1100)]
- (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that
it gets the passwd struct from the LAM that knows about the user which is
not necessarily the default. Patch from Alexandre Letourneau.
Damien Miller [Fri, 5 Mar 2010 10:31:11 +0000 (21:31 +1100)]
- djm@cvs.openbsd.org 2010/03/05 10:28:21
[ssh-add.1 ssh.1 ssh_config.5]
mention loading of certificate files from [private]-cert.pub when
they are present; feedback and ok jmc@
Damien Miller [Thu, 4 Mar 2010 23:42:24 +0000 (10:42 +1100)]
- djm@cvs.openbsd.org 2010/03/04 23:27:25
[auth-options.c ssh-keygen.c]
"force-command" is not spelled "forced-command"; spotted by
imorgan AT nas.nasa.gov
Damien Miller [Thu, 4 Mar 2010 23:42:05 +0000 (10:42 +1100)]
- djm@cvs.openbsd.org 2010/03/04 23:19:29
[ssh.1 sshd.8]
move section on CA and revoked keys from ssh.1 to sshd.8's known hosts
format section and rework it a bit; requested by jmc@
Damien Miller [Thu, 4 Mar 2010 10:57:21 +0000 (21:57 +1100)]
- djm@cvs.openbsd.org 2010/03/03 00:47:23
[regress/cert-hostkey.sh regress/cert-userkey.sh]
add an extra test to ensure that authentication with the wrong
certificate fails as it should (and it does)
Damien Miller [Thu, 4 Mar 2010 10:53:35 +0000 (21:53 +1100)]
- djm@cvs.openbsd.org 2010/03/04 10:36:03
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
[authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
[ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
are trusted to authenticate users (in addition than doing it per-user
in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to
known_hosts to allow keys to me revoked and banned for user or host
authentication.
Damien Miller [Thu, 4 Mar 2010 10:52:18 +0000 (21:52 +1100)]
- djm@cvs.openbsd.org 2010/03/04 01:44:57
[key.c]
use buffer_get_string_ptr_ret() where we are checking the return
value explicitly instead of the fatal()-causing buffer_get_string_ptr()
Damien Miller [Thu, 4 Mar 2010 10:51:37 +0000 (21:51 +1100)]
- djm@cvs.openbsd.org 2010/03/03 22:49:50
[sshd.8]
the authorized_keys option for CA keys is "cert-authority", not
"from=cert-authority". spotted by imorgan AT nas.nasa.gov
Damien Miller [Thu, 4 Mar 2010 10:09:24 +0000 (21:09 +1100)]
- (djm) [contrib/redhat/openssh.spec] Replace obsolete BuildPreReq
on XFree86-devel with neutral /usr/include/X11/Xlib.h;
imorgan AT nas.nasa.gov in bz#1731
Darren Tucker [Mon, 1 Mar 2010 04:52:49 +0000 (15:52 +1100)]
- (dtucker) [openbsd-compat/port-linux.c] Make failure to write to the OOM
adjust log at verbose only, since according to cjwatson in bug #1470
some virtualization platforms don't allow writes.
Damien Miller [Sun, 28 Feb 2010 17:36:54 +0000 (04:36 +1100)]
- (djm) [auth.c] On Cygwin, refuse usernames that have differences in
case from that matched in the system password database. On this
platform, passwords are stored case-insensitively, but sshd requires
exact case matching for Match blocks in sshd_config(5). Based on
a patch from vinschen AT redhat.com.
OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as sh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file
PROTOCOL.certkeys
Damien Miller [Wed, 24 Feb 2010 06:29:34 +0000 (17:29 +1100)]
- djm@cvs.openbsd.org 2010/02/24 06:21:56
[regress/test-exec.sh]
wait for sshd to fully stop in cleanup() function; avoids races in tests
that do multiple start_sshd/cleanup cycles; "I hate pidfiles" deraadt@
Damien Miller [Wed, 24 Feb 2010 06:28:45 +0000 (17:28 +1100)]
- djm@cvs.openbsd.org 2010/02/09 06:29:02
[regress/Makefile]
turn on all the malloc(3) checking options when running regression
tests. this has caught a few bugs for me in the past; ok dtucker@
Damien Miller [Thu, 11 Feb 2010 22:25:29 +0000 (09:25 +1100)]
- djm@cvs.openbsd.org 2010/02/09 06:18:46
[auth.c]
unbreak ChrootDirectory+internal-sftp by skipping check for executable
shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
Damien Miller [Thu, 11 Feb 2010 22:21:02 +0000 (09:21 +1100)]
- markus@cvs.openbsd.org 2010/02/08 10:50:20
[pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c]
[ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5]
replace our obsolete smartcard code with PKCS#11.
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
provider (shared library) while ssh-agent(1) delegates PKCS#11 to
a forked a ssh-pkcs11-helper process.
PKCS#11 is currently a compile time option.
feedback and ok djm@; inspired by patches from Alon Bar-Lev
`
Damien Miller [Thu, 11 Feb 2010 20:35:08 +0000 (07:35 +1100)]
- djm@cvs.openbsd.org 2010/02/02 22:49:34
[bufaux.c]
make buffer_get_string_ret() really non-fatal in all cases (it was
using buffer_get_int(), which could fatal() on buffer empty);
ok markus dtucker
Damien Miller [Tue, 2 Feb 2010 06:02:07 +0000 (17:02 +1100)]
- djm@cvs.openbsd.org 2010/01/30 21:12:08
[channels.c]
fake local addr:port when stdio fowarding as some servers (Tectia at
least) validate that they are well-formed;
reported by imorgan AT nas.nasa.gov
ok dtucker
Damien Miller [Sat, 30 Jan 2010 06:42:01 +0000 (17:42 +1100)]
- djm@cvs.openbsd.org 2010/01/30 02:54:53
[mux.c]
don't mark channel as read failed if it is already closing; suppresses
harmless error messages when connecting to SSH.COM Tectia server
report by imorgan AT nas.nasa.gov
Damien Miller [Sat, 30 Jan 2010 06:28:34 +0000 (17:28 +1100)]
- djm@cvs.openbsd.org 2010/01/28 00:21:18
[clientloop.c]
downgrade an error() to a debug() - this particular case can be hit in
normal operation for certain sequences of mux slave vs session closure
and is harmless
Darren Tucker [Thu, 28 Jan 2010 23:54:11 +0000 (10:54 +1100)]
- (dtucker) [openbsd-compat/openssl-compat.c] Bug #1707: Call OPENSSL_config()
after registering the hardware engines, which causes the openssl.cnf file to
be processed. See OpenSSL's man page for OPENSSL_config(3) for details.
Patch from Solomon Peachy, ok djm@.
In a mux master, when a socket to a mux slave closes before its server
session (as may occur when the slave has been signalled), gracefully
close the server session rather than deleting its channel immediately.
A server may have more messages on that channel to send (e.g. an exit
message) that will fatal() the client if they are sent to a channel that
has been prematurely deleted.
Damien Miller [Tue, 26 Jan 2010 02:26:22 +0000 (13:26 +1100)]
- djm@cvs.openbsd.org 2010/01/26 01:28:35
[channels.c channels.h clientloop.c clientloop.h mux.c nchan.c ssh.c]
rewrite ssh(1) multiplexing code to a more sensible protocol.
The new multiplexing code uses channels for the listener and
accepted control sockets to make the mux master non-blocking, so
no stalls when processing messages from a slave.
avoid use of fatal() in mux master protocol parsing so an errant slave
process cannot take down a running master.
implement requesting of port-forwards over multiplexed sessions. Any
port forwards requested by the slave are added to those the master has
established.
add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.
document master/slave mux protocol so that other tools can use it to
control a running ssh(1). Note: there are no guarantees that this
protocol won't be incompatibly changed (though it is versioned).
feedback Salvador Fandino, dtucker@
channel changes ok markus@
Damien Miller [Tue, 26 Jan 2010 01:53:06 +0000 (12:53 +1100)]
- dtucker@cvs.openbsd.org 2010/01/18 01:50:27
[roaming_client.c]
s/long long unsigned/unsigned long long/, from tim via portable
(Id sync only, change already in portable)
Tim Rice [Fri, 22 Jan 2010 18:25:15 +0000 (10:25 -0800)]
- (tim) [configure.ac] Due to constraints in Windows Sockets in terms of
socket inheritance, reduce the default SO_RCVBUF/SO_SNDBUF buffer size
in Cygwin to 65535. Patch from Corinna Vinschen.
projects / thirdparty / openssh-portable.git / log
