Commit Graph

65 Commits

Author SHA1 Message Date
Darren Tucker
269a1ea1c8 - (dtucker) [Makefile.in auth.c auth.h auth1.c auth2.c loginrec.c monitor.c
monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug #125:
   (first stage) Add audit instrumentation to sshd, currently disabled by
   default.  with suggestions from and djm@
2005-02-03 00:20:53 +11:00
Darren Tucker
3c66080aa2 - (dtucker) [auth-chall.c auth.h auth2-chall.c] Bug #936: Remove pam from
the list of available kbdint devices if UsePAM=no.  ok djm@
2005-01-20 22:20:50 +11:00
Darren Tucker
77fc29eeb3 - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c]
Bug #892: Send messages from failing PAM account modules to the client via
   SSH2_MSG_USERAUTH_BANNER messages.  Note that this will not happen with
   SSH2 kbdint authentication, which need to be dealt with separately.  ok djm@
2004-09-11 23:07:03 +10:00
Darren Tucker
89413dbafa - dtucker@cvs.openbsd.org 2004/05/23 23:59:53
[auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5]
     Add MaxAuthTries sshd config option; ok markus@
2004-05-24 10:36:23 +10:00
Damien Miller
9c870f966a - (djm) [auth-krb5.c auth.h session.c] Explicitly refer to Kerberos ccache
file using FILE: method, fixes problems on Mac OSX.
   Patch from simon@sxw.org.uk; ok dtucker@
2004-04-16 22:47:55 +10:00
Darren Tucker
aa0aecad99 - (dtucker) [auth-shadow.c auth.h] Provide warnings of impending account or
password expiry.  ok djm@
2004-02-22 10:22:05 +11:00
Darren Tucker
15ee748f28 - (dtucker) [auth-shadow.c auth.c auth.h] Move shadow account expiry test
to auth-shadow.c, no functional change.  ok djm@
2004-02-22 09:43:15 +11:00
Darren Tucker
9df3defdbb - (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h
defines.h] Bug #14: Use do_pwchange to support password expiry and force
   change for platforms using /etc/shadow.  ok djm@
2004-02-10 13:01:14 +11:00
Darren Tucker
e3dba82dd4 - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c
openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
    native password expiry.
2004-02-10 12:50:19 +11:00
Darren Tucker
c52a29913d Sync Ids missed in password expiry sync 2004-02-06 16:38:16 +11:00
Darren Tucker
23bc8d0bff - markus@cvs.openbsd.org 2004/01/30 09:48:57
[auth-passwd.c auth.h pathnames.h session.c]
     support for password change; ok dtucker@
     (set password-dead=1w in login.conf to use this).
     In -Portable, this is currently only platforms using bsdauth.
2004-02-06 16:24:31 +11:00
Darren Tucker
ec217adf70 Whitespace sync 2003-11-22 12:11:06 +11:00
Damien Miller
3e3b5145e5 - djm@cvs.openbsd.org 2003/11/04 08:54:09
[auth1.c auth2.c auth2-pubkey.c auth.h auth-krb5.c auth-passwd.c]
     [auth-rhosts.c auth-rh-rsa.c auth-rsa.c monitor.c serverloop.c]
     [session.c]
     standardise arguments to auth methods - they should all take authctxt.
     check authctxt->valid rather then pw != NULL; ok markus@
2003-11-17 21:13:40 +11:00
Darren Tucker
3e33cecf71 - markus@cvs.openbsd.org 2003/09/23 20:17:11
[Makefile.in auth1.c auth2.c auth.c auth.h auth-krb5.c canohost.c
     cleanup.c clientloop.c fatal.c gss-serv.c log.c log.h monitor.c monitor.h
     monitor_wrap.c monitor_wrap.h packet.c serverloop.c session.c session.h
     ssh-agent.c sshd.c]
     replace fatal_cleanup() and linked list of fatal callbacks with static
     cleanup_exit() function.  re-refine cleanup_exit() where appropriate,
     allocate sshd's authctxt eary to allow simpler cleanup in sshd.
     tested by many, ok deraadt@
2003-10-02 16:12:36 +10:00
Damien Miller
a256c650ac - markus@cvs.openbsd.org 2003/08/28 12:54:34
[auth.h]
     remove kerberos support from ssh1, since it has been replaced with GSSAPI;
     but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
2003-09-03 12:11:30 +10:00
Damien Miller
856f0be669 - markus@cvs.openbsd.org 2003/08/26 09:58:43
[auth-passwd.c auth.c auth.h auth1.c auth2-none.c auth2-passwd.c]
     [auth2.c monitor.c]
     fix passwd auth for 'username leaks via timing'; with djm@, original
     patches from solar
2003-09-03 07:32:45 +10:00
Damien Miller
1a0c0b9621 - markus@cvs.openbsd.org 2003/08/28 12:54:34
[auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c]
     [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5]
     [sshconnect1.c sshd.c sshd_config sshd_config.5]
     remove kerberos support from ssh1, since it has been replaced with GSSAPI;
     but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
2003-09-02 22:51:17 +10:00
Darren Tucker
0efd155c3c - markus@cvs.openbsd.org 2003/08/22 10:56:09
[auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c
     gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c
     readconf.h servconf.c servconf.h session.c session.h ssh-gss.h
     ssh_config.5 sshconnect2.c sshd_config sshd_config.5]
     support GSS API user authentication; patches from Simon Wilkinson,
     stripped down and tested by Jakob and myself.
2003-08-26 11:49:55 +10:00
Darren Tucker
6aaa58c470 - (dtucker) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2003/07/22 13:35:22
     [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c
     monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1
     ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h]
     remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
     test+ok henning@
 - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support.
 - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files.

I hope I got this right....
2003-08-02 22:24:49 +10:00
Damien Miller
8ce778a9f0 - markus@cvs.openbsd.org 2003/04/16 14:35:27
[auth.h]
     document struct Authctxt; with solar
2003-05-14 13:43:25 +10:00
Damien Miller
4f9f42a9bb - (djm) Merge FreeBSD PAM code: replaces PAM password auth kludge with
proper challenge-response module
2003-05-10 19:28:02 +10:00
Damien Miller
d94e549ea8 - markus@cvs.openbsd.org 2002/09/26 11:38:43
[auth1.c auth.h auth-krb4.c monitor.c monitor.h monitor_wrap.c]
     [monitor_wrap.h]
     krb4 + privsep; ok dugsong@, deraadt@
2002-09-27 13:25:58 +10:00
Damien Miller
25162f2518 - itojun@cvs.openbsd.org 2002/09/09 06:48:06
[auth1.c auth.h auth-krb5.c monitor.c monitor.h]
     [monitor_wrap.c monitor_wrap.h]
     kerberos support for privsep.  confirmed to work by lha@stacken.kth.se
     patch from markus
2002-09-12 09:47:29 +10:00
Ben Lindstrom
511bb24c5b - markus@cvs.openbsd.org 2002/05/31 11:35:15
[auth.h auth2.c]
     move Authmethod definitons to per-method file.

NOTE: The rest of this patch is with the import of the auth2-*.c files.
2002-06-06 20:52:37 +00:00
Ben Lindstrom
855bf3ac3c - markus@cvs.openbsd.org 2002/05/25 18:51:07
[auth.h auth2.c auth2-hostbased.c auth2-kbdint.c auth2-none.c
      auth2-passwd.c auth2-pubkey.c Makefile.in]
     split auth2.c into one file per method; ok provos@/deraadt@

NOTE: Merged back noticable cygwin and pam stuff.  May need review to
ensure I did not miss anything.
2002-06-06 20:27:55 +00:00
Ben Lindstrom
a574cda45b - markus@cvs.openbsd.org 2002/05/13 20:44:58
[auth-options.c auth.c auth.h]
     move the packet_send_debug handling from auth-options.c to auth.c;
     ok provos@
2002-05-15 16:16:14 +00:00
Damien Miller
5ad9fd9820 - (djm) Bug #231: UsePrivilegeSeparation turns off Banner. 2002-05-13 11:07:41 +10:00
Ben Lindstrom
08105192fd - markus@cvs.openbsd.org 2002/03/19 10:35:39
[auth-options.c auth.h session.c session.h sshd.c]
     clean up prototypes
2002-03-22 02:50:06 +00:00
Ben Lindstrom
7a2073c50b - provos@cvs.openbsd.org 2002/03/18 17:50:31
[auth-bsdauth.c auth-options.c auth-rh-rsa.c auth-rsa.c auth-skey.c auth.h
      auth1.c auth2-chall.c auth2.c kex.c kex.h kexdh.c kexgex.c servconf.c
      session.h servconf.h serverloop.c session.c sshd.c]
     integrate privilege separated openssh; its turned off by default for now.
     work done by me and markus@

applied, but outside of ensure that smaller code bits migrated with
their owners.. no work was tried to 'fix' it to work. =)  Later project!
2002-03-22 02:30:41 +00:00
Ben Lindstrom
73ab9ba45d - provos@cvs.openbsd.org 2002/03/18 01:12:14
[auth.h auth1.c auth2.c sshd.c]
     have the authentication functions return the authentication context
     and then do_authenticated; okay millert@
2002-03-22 01:27:35 +00:00
Ben Lindstrom
2ae18f40a7 - provos@cvs.openbsd.org 2002/03/17 20:25:56
[auth.c auth.h auth1.c auth2.c]
     getpwnamallow returns struct passwd * only if user valid; okay markus@
2002-03-22 01:24:38 +00:00
Ben Lindstrom
186b7da2d7 - markus@cvs.openbsd.org 2002/03/16 17:22:09
[auth-rh-rsa.c auth.h]
     split auth_rhosts_rsa(), ok provos@
2002-03-22 01:20:32 +00:00
Ben Lindstrom
9c8aefe750 - markus@cvs.openbsd.org 2002/03/14 16:56:33
[auth-rh-rsa.c auth-rsa.c auth.h]
     split auth_rsa() for better readability and privsep; ok provos@
2002-03-22 01:12:58 +00:00
Damien Miller
3a5b023330 Stupid djm commits experimental code to head instead of branch
revert
2002-03-13 13:19:42 +11:00
Damien Miller
646e7cf3d7 Import of Niels Provos' 20020312 ssh-complete.diff
PAM, Cygwin and OSF SIA will not work for sure
2002-03-13 12:47:54 +11:00
Ben Lindstrom
05764b9286 - stevesk@cvs.openbsd.org 2002/03/04 17:27:39
[auth-krb5.c auth-options.h auth.h authfd.h authfile.h bufaux.h buffer.h
      channels.h cipher.h compat.h compress.h crc32.h deattack.c getput.h
      groupaccess.c misc.c mpaux.h packet.h readconf.h rsa.h scard.h
      servconf.h ssh-agent.c ssh.h ssh2.h sshpty.h sshtty.c ttymodes.h
      uuencode.c xmalloc.h]
     $OpenBSD$ and RCSID() cleanup: don't use RCSID() in .h files; add
     missing RCSID() to .c files and remove dup /*$OpenBSD$*/ from .c
     files.  ok markus@
2002-03-05 01:53:02 +00:00
Damien Miller
a93c6d87ef - millert@cvs.openbsd.org 2002/02/17 19:42:32
[auth.h]
     Manual cleanup of remaining userland __P use (excluding packages
     maintained outside the tree)
2002-02-19 15:25:29 +11:00
Damien Miller
b046211483 - millert@cvs.openbsd.org 2002/02/16 21:27:53
[auth.h]
     Part one of userland __P removal.  Done with a simple regexp with
     some minor hand editing to make comments line up correctly.  Another
     pass is forthcoming that handles the cases that could not be done
     automatically.
2002-02-19 15:24:43 +11:00
Damien Miller
d221ca6cc9 - markus@cvs.openbsd.org 2001/12/27 19:54:53
[auth1.c auth.h auth-rh-rsa.c]
     auth_rhosts_rsa now accept generic keys.
2002-01-22 23:11:00 +11:00
Damien Miller
9f0f5c64bc - deraadt@cvs.openbsd.org 2001/12/19 07:18:56
[auth1.c auth2.c auth2-chall.c auth-bsdauth.c auth.c authfile.c auth.h]
     [auth-krb4.c auth-rhosts.c auth-skey.c bufaux.c canohost.c channels.c]
     [cipher.c clientloop.c compat.c compress.c deattack.c key.c log.c mac.c]
     [match.c misc.c nchan.c packet.c readconf.c rijndael.c rijndael.h scard.c]
     [servconf.c servconf.h serverloop.c session.c sftp.c sftp-client.c]
     [sftp-glob.c sftp-int.c sftp-server.c ssh-add.c ssh-agent.c ssh.c]
     [sshconnect1.c sshconnect2.c sshconnect.c sshd.8 sshd.c sshd_config]
     [ssh-keygen.c sshlogin.c sshpty.c sshtty.c ttymodes.c uidswap.c]
     basic KNF done while i was looking for something else
2001-12-21 14:45:46 +11:00
Damien Miller
5b2aea9494 - jakob@cvs.openbsd.org 2001/12/18 10:04:21
[auth.h hostfile.c hostfile.h]
     remove auth_rsa_read_key, make hostfile_ready_key non static; ok markus@
2001-12-21 12:47:09 +11:00
Damien Miller
ee11625d43 - markus@cvs.openbsd.org 2001/12/09 18:45:56
[auth2.c auth2-chall.c auth.h]
     add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions,
     fixes memleak.
2001-12-21 12:42:34 +11:00
Ben Lindstrom
4cc240dabb - markus@cvs.openbsd.org 2001/06/26 17:27:25
[authfd.h authfile.h auth.h auth-options.h bufaux.h buffer.h
      canohost.h channels.h cipher.h clientloop.h compat.h compress.h
      crc32.h deattack.h dh.h dispatch.h groupaccess.c groupaccess.h
      hostfile.h kex.h key.h log.c log.h mac.h misc.c misc.h mpaux.h
      packet.h radix.h readconf.h readpass.h rsa.h servconf.h serverloop.h
      session.h sftp-common.c sftp-common.h sftp-glob.h sftp-int.h
      sshconnect.h ssh-dss.h sshlogin.h sshpty.h ssh-rsa.h sshtty.h
      tildexpand.h uidswap.h uuencode.h xmalloc.h]
     remove comments from .h, since they are cut&paste from the .c files
     and out of sync
2001-07-04 04:46:56 +00:00
Ben Lindstrom
ec95ed9b4c - dugsong@cvs.openbsd.org 2001/06/26 16:15:25
[auth1.c auth.h auth-krb4.c auth-passwd.c readconf.c readconf.h
      servconf.c servconf.h session.c sshconnect1.c sshd.c]
     Kerberos v5 support for SSH1, mostly from Assar Westerlund
     <assar@freebsd.org> and Bjorn Gronvall <bg@sics.se>. markus@ ok
2001-07-04 04:21:14 +00:00
Ben Lindstrom
16ae3d0dba - itojun@cvs.openbsd.org 2001/06/26 06:32:58
[atomicio.h authfd.h authfile.h auth.h auth-options.h bufaux.h
      buffer.h canohost.h channels.h cipher.h clientloop.h compat.h
      compress.h crc32.h deattack.h dh.h dispatch.h groupaccess.h
      hostfile.h kex.h key.h log.h mac.h match.h misc.h mpaux.h packet.h
      radix.h readconf.h readpass.h rsa.h]
     prototype pedant.  not very creative...
     - () -> (void)
     - no variable names
2001-07-04 04:02:36 +00:00
Ben Lindstrom
248c0784bf - provos@cvs.openbsd.org 2001/06/25 17:54:47
[auth.c auth.h auth-rsa.c]
     terminate secure_filename checking after checking homedir.  that way
     it works on AFS.  okay markus@
2001-07-04 03:40:39 +00:00
Ben Lindstrom
83647ce474 - markus@cvs.openbsd.org 2001/06/23 00:20:57
[auth2.c auth.c auth.h auth-rh-rsa.c]
     *known_hosts2 is obsolete for hostbased authentication and
     only used for backward compat. merge ssh1/2 hostkey check
     and move it to auth.c
2001-06-25 04:30:16 +00:00
Ben Lindstrom
bfb3a0e973 - markus@cvs.openbsd.org 2001/05/20 17:20:36
[auth-rsa.c auth.c auth.h auth2.c servconf.c servconf.h sshd.8
      sshd_config]
     configurable authorized_keys{,2} location; originally from peter@;
     ok djm@
2001-06-05 20:25:05 +00:00
Ben Lindstrom
551ea37576 - markus@cvs.openbsd.org 2001/05/18 14:13:29
[auth-chall.c auth.h auth1.c auth2-chall.c auth2.c readconf.c
      readconf.h servconf.c servconf.h sshconnect1.c sshconnect2.c sshd.c]
     improved kbd-interactive support. work by per@appgate.com and me
2001-06-05 18:56:16 +00:00
Ben Lindstrom
5eabda303a - markus@cvs.openbsd.org 2001/04/12 19:15:26
[auth-rhosts.c auth.h auth2.c buffer.c canohost.c canohost.h
      compat.c compat.h hostfile.c pathnames.h readconf.c readconf.h
      servconf.c servconf.h ssh.c sshconnect.c sshconnect.h sshconnect1.c
      sshconnect2.c sshd_config]
     implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2)
     similar to RhostRSAAuthentication unless you enable (the experimental)
     HostbasedUsesNameFromPacketOnly option.  please test. :)
2001-04-12 23:34:34 +00:00