Commit Graph

6015 Commits

Author SHA1 Message Date
Damien Miller
5a5d94b12f - jmc@cvs.openbsd.org 2010/03/13 23:38:13
[ssh-keygen.1]
     fix a formatting error (args need quoted); noted by stevesk
2010-03-22 05:57:49 +11:00
Damien Miller
1b61a2825e - djm@cvs.openbsd.org 2010/03/13 21:45:46
[ssh-keygen.1]
     Certificates are named *-cert.pub, not *_cert.pub; committing a diff
     from stevesk@ ok me
2010-03-22 05:55:06 +11:00
Damien Miller
8ddc71c13d - djm@cvs.openbsd.org 2010/03/13 21:10:38
[clientloop.c]
     protocol conformance fix: send language tag when disconnecting normally;
     spotted by 1.41421 AT gmail.com, ok markus@ deraadt@
2010-03-22 05:54:02 +11:00
Damien Miller
4a5f0d325b - markus@cvs.openbsd.org 2010/03/12 11:37:40
[servconf.c]
     do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths
     free() (not xfree()) the buffer returned by getcwd()
2010-03-22 05:53:04 +11:00
Damien Miller
c4cb47bc53 - djm@cvs.openbsd.org 2010/03/12 01:06:25
[servconf.c]
     unbreak AuthorizedKeys option with a $HOME-relative path; reported by
     vinschen AT redhat.com, ok dtucker@
2010-03-22 05:52:26 +11:00
Damien Miller
e513a91195 - djm@cvs.openbsd.org 2010/03/10 23:27:17
[auth2-pubkey.c]
     correct certificate logging and make it more consistent between
     authorized_keys and TrustedCAKeys; ok markus@
2010-03-22 05:51:21 +11:00
Damien Miller
77497e1318 - jmc@cvs.openbsd.org 2010/03/10 07:40:35
[ssh-keygen.1]
     typos; from Ross Richardson
     closes prs 6334 and 6335
2010-03-22 05:50:51 +11:00
Damien Miller
c59e2443d3 - jmc@cvs.openbsd.org 2010/03/08 09:41:27
[ssh-keygen.1]
     sort the list of constraints (to -O); ok djm
2010-03-22 05:50:31 +11:00
Damien Miller
1f574b2546 - (djm) [Makefile.in] Respecify -lssh after -lopenbsd-compat for
ssh-pkcs11-helper to repair static builds (we do the same for
   ssh-keyscan). Reported by felix-mindrot AT fefe.de
2010-03-14 08:41:34 +11:00
Damien Miller
47f9a4106a - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix
compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot
   AT fefe.de
2010-03-14 08:37:49 +11:00
Tim Rice
4e0cea82dd - (tim) [contrib/cygwin/Makefile] Fix list of documentation files to install
on a Cygwin installation. Patch from Corinna Vinschen.
2010-03-11 22:35:19 -08:00
Tim Rice
ded8fa0bc9 - (tim) [Makefile.in] Add missing $(EXEEXT) to install targets.
Patch from Corinna Vinschen.
2010-03-11 22:32:02 -08:00
Tim Rice
2bde3eec69 - (tim) [openssh/Makefile.in] Now that scard is gone, no need to
make $(datadir)
2010-03-11 22:18:13 -08:00
Tim Rice
fa233ba73b - (tim) [contrib/suse/openssh.spec] crank version number here too.
report by imorgan AT nas.nasa.gov
2010-03-10 16:12:02 -08:00
Darren Tucker
c9fe39b1a4 - (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO
so setting it in CFLAGS correctly skips IPv6 tests.
2010-03-09 20:42:30 +11:00
Damien Miller
081c976e1c - djm@cvs.openbsd.org 2010/03/08 00:28:55
[ssh-keygen.1]
     document permit-agent-forwarding certificate constraint; patch from
     stevesk@
2010-03-08 11:30:00 +11:00
Damien Miller
958678726c - (djm) Release OpenSSH-5.4p1 2010-03-08 09:50:17 +11:00
Damien Miller
6bf31786cf - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
crank version numbers
2010-03-08 09:41:02 +11:00
Damien Miller
3e1ee491f3 - djm@cvs.openbsd.org 2010/03/07 22:16:01
[ssh-keygen.c]
     make internal strptime string match strftime format;
     suggested by vinschen AT redhat.com and markus@
2010-03-08 09:24:11 +11:00
Damien Miller
b3bc331e09 - (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/03/07 22:01:32
     [version.h]
     openssh-5.4
2010-03-08 09:03:33 +11:00
Darren Tucker
cd70e1b813 - dtucker@cvs.openbsd.org 2010/03/07 11:57:13
[auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c]
     Hold authentication debug messages until after successful authentication.
     Fixes an info leak of environment variables specified in authorized_keys,
     reported by Jacob Appelbaum.  ok djm@
2010-03-07 23:05:17 +11:00
Darren Tucker
ac0c4c9c1d - (dtucker) [session.c] Also initialize creds to NULL for handing to
setpcred.
2010-03-07 13:32:16 +11:00
Darren Tucker
c738e6c646 - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and
do not set real uid, since that's needed for the chroot, and will be set
   by permanently_set_uid.
2010-03-07 13:21:12 +11:00
Darren Tucker
b3d20a3ff0 - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that
it gets the passwd struct from the LAM that knows about the user which is
   not necessarily the default.  Patch from Alexandre Letourneau.
2010-03-07 11:56:59 +11:00
Damien Miller
5059d8d7e6 - djm@cvs.openbsd.org 2010/03/05 10:28:21
[ssh-add.1 ssh.1 ssh_config.5]
     mention loading of certificate files from [private]-cert.pub when
     they are present; feedback and ok jmc@
2010-03-05 21:31:11 +11:00
Damien Miller
922b541329 - jmc@cvs.openbsd.org 2010/03/05 08:31:20
[ssh.1]
     document certificate authentication; help/ok djm
2010-03-05 21:30:54 +11:00
Damien Miller
98339054f9 - jmc@cvs.openbsd.org 2010/03/05 06:50:35
[ssh.1 sshd.8]
     tweak previous;
2010-03-05 21:30:35 +11:00
Damien Miller
9527f228ae - (djm) [configure.ac] set -fno-strict-aliasing for gcc4; ok dtucker@ 2010-03-05 15:04:35 +11:00
Damien Miller
b068d0ad6d - djm@cvs.openbsd.org 2010/03/05 02:58:11
[auth.c]
     make the warning for a revoked key louder and more noticable
2010-03-05 14:03:03 +11:00
Damien Miller
48b6021721 - (djm) [ssh-rand-helper.c] declare optind, avoiding compilation failure
on some platforms
2010-03-05 11:40:19 +11:00
Damien Miller
689b872842 - djm@cvs.openbsd.org 2010/03/04 23:27:25
[auth-options.c ssh-keygen.c]
     "force-command" is not spelled "forced-command"; spotted by
     imorgan AT nas.nasa.gov
2010-03-05 10:42:24 +11:00
Damien Miller
a7dab8bfe5 - djm@cvs.openbsd.org 2010/03/04 23:19:29
[ssh.1 sshd.8]
     move section on CA and revoked keys from ssh.1 to sshd.8's known hosts
     format section and rework it a bit; requested by jmc@
2010-03-05 10:42:05 +11:00
Damien Miller
c6db99ec14 - djm@cvs.openbsd.org 2010/03/04 23:17:25
[sshd_config.5]
     missing word; spotted by jmc@
2010-03-05 10:41:45 +11:00
Damien Miller
8f6c337563 - jmc@cvs.openbsd.org 2010/03/04 22:52:40
[ssh-keygen.1]
     fix Bk/Ek;
2010-03-05 10:41:26 +11:00
Tim Rice
179eee081a - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older
compilers. OK djm@
2010-03-04 12:48:05 -08:00
Damien Miller
f2b70cad75 - djm@cvs.openbsd.org 2010/03/04 20:35:08
[ssh-keygen.1 ssh-keygen.c]
     Add a -L flag to print the contents of a certificate; ok markus@
2010-03-05 07:39:35 +11:00
Damien Miller
72b33820af - jmc@cvs.openbsd.org 2010/03/04 12:51:25
[ssh.1 sshd_config.5]
     tweak previous;
2010-03-05 07:39:01 +11:00
Damien Miller
700dcfa3e0 - djm@cvs.openbsd.org 2010/03/04 10:38:23
[regress/cert-hostkey.sh regress/cert-userkey.sh]
     additional regression tests for revoked keys and TrustedUserCAKeys
2010-03-04 21:58:01 +11:00
Damien Miller
017d1e777e - djm@cvs.openbsd.org 2010/03/03 00:47:23
[regress/cert-hostkey.sh regress/cert-userkey.sh]
     add an extra test to ensure that authentication with the wrong
     certificate fails as it should (and it does)
2010-03-04 21:57:21 +11:00
Damien Miller
1aed65eb27 - djm@cvs.openbsd.org 2010/03/04 10:36:03
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
     [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
     [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
     Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
     are trusted to authenticate users (in addition than doing it per-user
     in authorized_keys).

     Add a RevokedKeys option to sshd_config and a @revoked marker to
     known_hosts to allow keys to me revoked and banned for user or host
     authentication.

     feedback and ok markus@
2010-03-04 21:53:35 +11:00
Damien Miller
2befbad9b3 - djm@cvs.openbsd.org 2010/03/04 01:44:57
[key.c]
     use buffer_get_string_ptr_ret() where we are checking the return
     value explicitly instead of the fatal()-causing buffer_get_string_ptr()
2010-03-04 21:52:18 +11:00
Damien Miller
fe588e3c84 - djm@cvs.openbsd.org 2010/03/03 22:50:40
[PROTOCOL.certkeys]
     s/similar same/similar/; from imorgan AT nas.nasa.gov
2010-03-04 21:52:00 +11:00
Damien Miller
cd38c9c555 - djm@cvs.openbsd.org 2010/03/03 22:49:50
[sshd.8]
     the authorized_keys option for CA keys is "cert-authority", not
     "from=cert-authority". spotted by imorgan AT nas.nasa.gov
2010-03-04 21:51:37 +11:00
Damien Miller
41396573af - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/03/03 01:44:36
     [auth-options.c key.c]
     reject strings with embedded ASCII nul chars in certificate key IDs,
     principal names and constraints
2010-03-04 21:51:11 +11:00
Damien Miller
e1abf4d6bc - (djm) [regress/Makefile] Cleanup sshd_proxy_orig 2010-03-04 21:41:29 +11:00
Damien Miller
d45f3b6cc7 - (djm) [.cvsignore] Ignore ssh-pkcs11-helper 2010-03-04 21:09:46 +11:00
Damien Miller
661ffc1fd6 - (djm) [contrib/redhat/openssh.spec] Replace obsolete BuildPreReq
on XFree86-devel with neutral /usr/include/X11/Xlib.h;
   imorgan AT nas.nasa.gov in bz#1731
2010-03-04 21:09:24 +11:00
Damien Miller
910f209c1d - (djm) [ssh-keygen.c] Use correct local variable, instead of
maybe-undefined global "optarg"
2010-03-04 14:17:22 +11:00
Damien Miller
386dbc05e9 - (djm) [regress/cert-userkey.sh] s/echo -n/echon/ here too 2010-03-03 13:22:41 +11:00
Damien Miller
2ca342b84b - djm@cvs.openbsd.org 2010/03/02 23:20:57
[ssh-keygen.c]
     POSIX strptime is stricter than OpenBSD's so do a little dance to
     appease it.
2010-03-03 12:14:15 +11:00