RepoMirrors/openssh
1
0
Fork 0
mirror of git://anongit.mindrot.org/openssh.git synced 2024-12-27 20:42:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
6,289 Commits 69 Branches 157 Tags 27 MiB
445c9a507d
Commit Graph

6289 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Damien Miller
98339054f9 - jmc@cvs.openbsd.org 2010/03/05 06:50:35 
[ssh.1 sshd.8]
     tweak previous;
 2010-03-05 21:30:35 +11:00
Damien Miller
9527f228ae - (djm) [configure.ac] set -fno-strict-aliasing for gcc4; ok dtucker@ 2010-03-05 15:04:35 +11:00
Damien Miller
b068d0ad6d - djm@cvs.openbsd.org 2010/03/05 02:58:11 
[auth.c]
     make the warning for a revoked key louder and more noticable
 2010-03-05 14:03:03 +11:00
Damien Miller
48b6021721 - (djm) [ssh-rand-helper.c] declare optind, avoiding compilation failure 
on some platforms
 2010-03-05 11:40:19 +11:00
Damien Miller
689b872842 - djm@cvs.openbsd.org 2010/03/04 23:27:25 
[auth-options.c ssh-keygen.c]
     "force-command" is not spelled "forced-command"; spotted by
     imorgan AT nas.nasa.gov
 2010-03-05 10:42:24 +11:00
Damien Miller
a7dab8bfe5 - djm@cvs.openbsd.org 2010/03/04 23:19:29 
[ssh.1 sshd.8]
     move section on CA and revoked keys from ssh.1 to sshd.8's known hosts
     format section and rework it a bit; requested by jmc@
 2010-03-05 10:42:05 +11:00
Damien Miller
c6db99ec14 - djm@cvs.openbsd.org 2010/03/04 23:17:25 
[sshd_config.5]
     missing word; spotted by jmc@
 2010-03-05 10:41:45 +11:00
Damien Miller
8f6c337563 - jmc@cvs.openbsd.org 2010/03/04 22:52:40 
[ssh-keygen.1]
     fix Bk/Ek;
 2010-03-05 10:41:26 +11:00
Tim Rice
179eee081a - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older 
compilers. OK djm@
 2010-03-04 12:48:05 -08:00
Damien Miller
f2b70cad75 - djm@cvs.openbsd.org 2010/03/04 20:35:08 
[ssh-keygen.1 ssh-keygen.c]
     Add a -L flag to print the contents of a certificate; ok markus@
 2010-03-05 07:39:35 +11:00
Damien Miller
72b33820af - jmc@cvs.openbsd.org 2010/03/04 12:51:25 
[ssh.1 sshd_config.5]
     tweak previous;
 2010-03-05 07:39:01 +11:00
Damien Miller
700dcfa3e0 - djm@cvs.openbsd.org 2010/03/04 10:38:23 
[regress/cert-hostkey.sh regress/cert-userkey.sh]
     additional regression tests for revoked keys and TrustedUserCAKeys
 2010-03-04 21:58:01 +11:00
Damien Miller
017d1e777e - djm@cvs.openbsd.org 2010/03/03 00:47:23 
[regress/cert-hostkey.sh regress/cert-userkey.sh]
     add an extra test to ensure that authentication with the wrong
     certificate fails as it should (and it does)
 2010-03-04 21:57:21 +11:00
Damien Miller
1aed65eb27 - djm@cvs.openbsd.org 2010/03/04 10:36:03 
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
     [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
     [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
     Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
     are trusted to authenticate users (in addition than doing it per-user
     in authorized_keys).

     Add a RevokedKeys option to sshd_config and a @revoked marker to
     known_hosts to allow keys to me revoked and banned for user or host
     authentication.

     feedback and ok markus@
 2010-03-04 21:53:35 +11:00
Damien Miller
2befbad9b3 - djm@cvs.openbsd.org 2010/03/04 01:44:57 
[key.c]
     use buffer_get_string_ptr_ret() where we are checking the return
     value explicitly instead of the fatal()-causing buffer_get_string_ptr()
 2010-03-04 21:52:18 +11:00
Damien Miller
fe588e3c84 - djm@cvs.openbsd.org 2010/03/03 22:50:40 
[PROTOCOL.certkeys]
     s/similar same/similar/; from imorgan AT nas.nasa.gov
 2010-03-04 21:52:00 +11:00
Damien Miller
cd38c9c555 - djm@cvs.openbsd.org 2010/03/03 22:49:50 
[sshd.8]
     the authorized_keys option for CA keys is "cert-authority", not
     "from=cert-authority". spotted by imorgan AT nas.nasa.gov
 2010-03-04 21:51:37 +11:00
Damien Miller
41396573af - OpenBSD CVS Sync 
- djm@cvs.openbsd.org 2010/03/03 01:44:36
     [auth-options.c key.c]
     reject strings with embedded ASCII nul chars in certificate key IDs,
     principal names and constraints
 2010-03-04 21:51:11 +11:00
Damien Miller
e1abf4d6bc - (djm) [regress/Makefile] Cleanup sshd_proxy_orig 2010-03-04 21:41:29 +11:00
Damien Miller
d45f3b6cc7 - (djm) [.cvsignore] Ignore ssh-pkcs11-helper 2010-03-04 21:09:46 +11:00
Damien Miller
661ffc1fd6 - (djm) [contrib/redhat/openssh.spec] Replace obsolete BuildPreReq 
on XFree86-devel with neutral /usr/include/X11/Xlib.h;
   imorgan AT nas.nasa.gov in bz#1731
 2010-03-04 21:09:24 +11:00
Damien Miller
910f209c1d - (djm) [ssh-keygen.c] Use correct local variable, instead of 
maybe-undefined global "optarg"
 2010-03-04 14:17:22 +11:00
Damien Miller
386dbc05e9 - (djm) [regress/cert-userkey.sh] s/echo -n/echon/ here too 2010-03-03 13:22:41 +11:00
Damien Miller
2ca342b84b - djm@cvs.openbsd.org 2010/03/02 23:20:57 
[ssh-keygen.c]
     POSIX strptime is stricter than OpenBSD's so do a little dance to
     appease it.
 2010-03-03 12:14:15 +11:00
Damien Miller
fb84e5950e - djm@cvs.openbsd.org 2010/03/02 23:20:57 
[ssh-keygen.c]
     POSIX strptime is stricter than OpenBSD's so do a little dance to
     appease it.
 2010-03-03 10:26:04 +11:00
Damien Miller
0bd41861bb - otto@cvs.openbsd.org 2010/03/01 11:07:06 
[ssh-add.c]
     zap what seems to be a left-over debug message; ok markus@
 2010-03-03 10:25:41 +11:00
Damien Miller
15f5b560b1 - jmc@cvs.openbsd.org 2010/02/26 22:09:28 
[ssh-keygen.1 ssh.1 sshd.8]
     tweak previous;
 2010-03-03 10:25:21 +11:00
Damien Miller
25b97dd454 - (djm) [PROTOCOL.certkeys] Add RCS Ident 2010-03-03 10:24:00 +11:00
Tim Rice
c5b0cb3b7d - (tim) [config.guess config.sub] Bug 1722: Update to latest versions from 
http://git.savannah.gnu.org/gitweb/ (2009-12-30 and 2010-01-22
   respectively).
 2010-03-01 15:57:42 -08:00
Darren Tucker
9af0cb9acc - (dtucker) [openbsd-compat/port-linux.c] Make failure to write to the OOM 
adjust log at verbose only, since according to cjwatson in bug #1470
   some virtualization platforms don't allow writes.
 2010-03-01 15:52:49 +11:00
Darren Tucker
c614c78c53 - (dtucker) [regress/{cert-hostkey,cfgmatch,cipher-speed}.sh} Replace 
"echo -n" with "echon" for portability.
 2010-03-01 12:49:05 +11:00
Tim Rice
bff24b8ad2 - (tim) [ssh-pkcs11-helper.c] Move declarations before calling functions 
to make older compilers (gcc 2.95) happy.
 2010-02-28 14:51:56 -08:00
Damien Miller
acc9b29486 - (djm) [auth.c] On Cygwin, refuse usernames that have differences in 
case from that matched in the system password database. On this
   platform, passwords are stored case-insensitively, but sshd requires
   exact case matching for Match blocks in sshd_config(5). Based on
   a patch from vinschen AT redhat.com.
 2010-03-01 04:36:54 +11:00
Damien Miller
d05951fcee - (djm) [openbsd-compat/bsd-cygwin_util.c] Reduce the set of environment 
variables copied into sshd child processes. From vinschen AT redhat.com
 2010-02-28 03:29:33 +11:00
Damien Miller
09a24db2d7 - (djm) [ssh-pkcs11-helper.c ] Ensure RNG is initialised and seeded 2010-02-28 03:28:05 +11:00
Damien Miller
58ac6de964 - djm@cvs.openbsd.org 2010/02/26 20:33:21 
[Makefile regress/cert-hostkey.sh regress/cert-userkey.sh]
     regression tests for certified keys
 2010-02-27 07:57:12 +11:00
Damien Miller
0a80ca190a - OpenBSD CVS Sync 
- djm@cvs.openbsd.org 2010/02/26 20:29:54
     [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
     [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
     [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
     [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
     [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
     [sshconnect2.c sshd.8 sshd.c sshd_config.5]
     Add support for certificate key types for users and hosts.

     OpenSSH certificate key types are not X.509 certificates, but a much
     simpler format that encodes a public key, identity information and
     some validity constraints and signs it with a CA key. CA keys are
     regular SSH keys. This certificate style avoids the attack surface
     of X.509 certificates and is very easy to deploy.

     Certified host keys allow automatic acceptance of new host keys
     when a CA certificate is marked as sh/known_hosts.
     see VERIFYING HOST KEYS in ssh(1) for details.

     Certified user keys allow authentication of users when the signing
     CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
     FILE FORMAT" in sshd(8) for details.

     Certificates are minted using ssh-keygen(1), documentation is in
     the "CERTIFICATES" section of that manpage.

     Documentation on the format of certificates is in the file
     PROTOCOL.certkeys

     feedback and ok markus@
 2010-02-27 07:55:05 +11:00
Damien Miller
d27d85d532 contrib/caldera/openssh.spec 
contrib/redhat/openssh.spec
contrib/suse/openssh.spec
 2010-02-24 18:21:45 +11:00
Damien Miller
43001b3b3b - (djm) [Makefile.in ssh-pkcs11-helper.8] Add manpage for PKCS#11 helper 2010-02-24 18:18:51 +11:00
Damien Miller
8eff8e8f59 - dtucker@cvs.openbsd.org 2009/11/09 04:20:04 
[regress/Makefile keygen-convert.sh]
     add regression test for ssh-keygen pubkey conversions
 2010-02-24 17:33:30 +11:00
Damien Miller
cfa42d2fd2 - markus@cvs.openbsd.org 2010/02/08 10:52:47 
[regress/agent-pkcs11.sh]
     test for PKCS#11 support (currently disabled)
 2010-02-24 17:31:20 +11:00
Damien Miller
c1739211a6 - djm@cvs.openbsd.org 2010/02/24 06:21:56 
[regress/test-exec.sh]
     wait for sshd to fully stop in cleanup() function; avoids races in tests
     that do multiple start_sshd/cleanup cycles; "I hate pidfiles" deraadt@
 2010-02-24 17:29:34 +11:00
Damien Miller
8f9492c90d - djm@cvs.openbsd.org 2010/02/09 06:29:02 
[regress/Makefile]
     turn on all the malloc(3) checking options when running regression
     tests. this has caught a few bugs for me in the past; ok dtucker@
 2010-02-24 17:28:45 +11:00
Damien Miller
bb4ae5583b - djm@cvs.openbsd.org 2010/02/09 04:57:36 
[regress/addrmatch.sh]
     clean up droppings
 2010-02-24 17:26:38 +11:00
Damien Miller
0dff9c7e6d - dtucker@cvs.openbsd.org 2010/01/11 02:53:44 
[regress/forwarding.sh]
     regress test for stdio forwarding
 2010-02-24 17:25:58 +11:00
Damien Miller
b6bd3c2ca8 - dtucker@cvs.openbsd.org 2009/11/09 04:20:04 
[regress/Makefile]
     add regression test for ssh-keygen pubkey conversions
 2010-02-24 17:24:56 +11:00
Damien Miller
a80f1404bb - djm@cvs.openbsd.org 2010/02/11 20:37:47 
[pathnames.h]
     correct comment
 2010-02-24 17:17:58 +11:00
Damien Miller
05abd2c968 - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c] 
[ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable
 2010-02-24 17:16:08 +11:00
Damien Miller
b3c9f78711 - (djm) [configure.ac] Enable PKCS#11 support only when we find a working 
dlopen()
 2010-02-12 10:11:34 +11:00
Damien Miller
dfa4156dbd - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c] 
Use ssh_get_progname to fill __progname
 2010-02-12 10:06:28 +11:00