Commit Graph

5583 Commits

Author SHA1 Message Date
Damien Miller
ea909791c5 - (djm) [contrib/ssh-copy-id] Update key file explicitly under ~
rather than assuming that $CWD == $HOME. bz#1500, patch from
   timothy AT gelter.com
2010-06-18 11:09:24 +10:00
Tim Rice
b9ae4ec556 - (tim) [contrib/cygwin/README] Remove a reference to the obsolete
minires-devel package, and to add the reference to the libedit-devel
   package since CYgwin now provides libedit. Patch from Corinna Vinschen.
2010-06-17 11:11:44 -07:00
Damien Miller
d0e4a8e2e0 - djm@cvs.openbsd.org 2010/05/20 23:46:02
[PROTOCOL.certkeys auth-options.c ssh-keygen.c]
     Move the permit-* options to the non-critical "extensions" field for v01
     certificates. The logic is that if another implementation fails to
     implement them then the connection just loses features rather than fails
     outright.

     ok markus@
2010-05-21 14:58:32 +10:00
Damien Miller
84399555f0 - djm@cvs.openbsd.org 2010/05/20 11:25:26
[auth2-pubkey.c]
     fix logspam when key options (from="..." especially) deny non-matching
     keys; reported by henning@ also bz#1765; ok markus@ dtucker@
2010-05-21 14:58:12 +10:00
Damien Miller
388f6fc485 - markus@cvs.openbsd.org 2010/05/16 12:55:51
[PROTOCOL.mux clientloop.h mux.c readconf.c readconf.h ssh.1 ssh.c]
     mux support for remote forwarding with dynamic port allocation,
     use with
        LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`
     feedback and ok djm@
2010-05-21 14:57:35 +10:00
Damien Miller
d530f5f471 - djm@cvs.openbsd.org 2010/05/14 23:29:23
[channels.c channels.h mux.c ssh.c]
     Pause the mux channel while waiting for reply from aynch callbacks.
     Prevents misordering of replies if new requests arrive while waiting.

     Extend channel open confirm callback to allow signalling failure
     conditions as well as success. Use this to 1) fix a memory leak, 2)
     start using the above pause mechanism and 3) delay sending a success/
     failure message on mux slave session open until we receive a reply from
     the server.

     motivated by and with feedback from markus@
2010-05-21 14:57:10 +10:00
Damien Miller
c6afb5f2c0 - djm@cvs.openbsd.org 2010/05/14 00:47:22
[ssh-add.c]
     check that the certificate matches the corresponding private key before
     grafting it on
2010-05-21 14:56:47 +10:00
Damien Miller
3b903827eb - djm@cvs.openbsd.org 2010/05/11 02:58:04
[auth-rsa.c]
     don't accept certificates marked as "cert-authority" here; ok markus@
2010-05-21 14:56:25 +10:00
Damien Miller
3bcce80b54 - djm@cvs.openbsd.org 2010/05/07 11:31:26
[regress/Makefile regress/cert-userkey.sh]
     regress tests for AuthorizedPrincipalsFile and "principals=" key option.
     feedback and ok markus@
2010-05-21 14:48:16 +10:00
Damien Miller
4b1ec8381b - (djm) [openbsd-compat/openssl-compat.h] Fix build breakage on older
libcrypto by defining OPENSSL_[DR]SA_MAX_MODULUS_BITS if they aren't
   already. ok dtucker@
2010-05-12 17:49:59 +10:00
Darren Tucker
5b6d0d0eba - (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve
circular dependency problem on old or odd platforms.  From Tom Lane, ok
   djm@.
2010-05-12 16:51:38 +10:00
Damien Miller
81d3fc535b - jmc@cvs.openbsd.org 2010/05/07 12:49:17
[sshd_config.5]
     tweak previous;
2010-05-10 11:58:45 +10:00
Damien Miller
30da3447d2 - djm@cvs.openbsd.org 2010/05/07 11:30:30
[auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c]
     [key.c servconf.c servconf.h sshd.8 sshd_config.5]
     add some optional indirection to matching of principal names listed
     in certificates. Currently, a certificate must include the a user's name
     to be accepted for authentication. This change adds the ability to
     specify a list of certificate principal names that are acceptable.

     When authenticating using a CA trusted through ~/.ssh/authorized_keys,
     this adds a new principals="name1[,name2,...]" key option.

     For CAs listed through sshd_config's TrustedCAKeys option, a new config
     option "AuthorizedPrincipalsFile" specifies a per-user file containing
     the list of acceptable names.

     If either option is absent, the current behaviour of requiring the
     username to appear in principals continues to apply.

     These options are useful for role accounts, disjoint account namespaces
     and "user@realm"-style naming policies in certificates.

     feedback and ok markus@
2010-05-10 11:58:03 +10:00
Damien Miller
099fc1634e - dtucker@cvs.openbsd.org 2010/05/05 04:22:09
[sftp.c]
     restore mput and mget which got lost in the tab-completion changes.
     found by Kenneth Whitaker, ok djm@
2010-05-10 11:56:50 +10:00
Damien Miller
2725c2193b - djm@cvs.openbsd.org 2010/05/01 02:50:50
[PROTOCOL.certkeys]
     typo; jmeltzer@
2010-05-10 11:56:14 +10:00
Damien Miller
79442c07c4 - djm@cvs.openbsd.org 2010/04/26 22:28:24
[sshconnect2.c]
     bz#1502: authctxt.success is declared as an int, but passed by
     reference to function that accepts sig_atomic_t*. Convert it to
     the latter; ok markus@ dtucker@
2010-05-10 11:55:38 +10:00
Damien Miller
bebbb7e8a5 - djm@cvs.openbsd.org 2010/04/23 22:48:31
[ssh-keygen.c]
     refuse to generate keys longer than OPENSSL_[RD]SA_MAX_MODULUS_BITS,
     since we would refuse to use them anyway. bz#1516; ok dtucker@
2010-05-10 11:54:38 +10:00
Damien Miller
22a29880bb - djm@cvs.openbsd.org 2010/04/23 22:42:05
[session.c]
     set stderr to /dev/null for subsystems rather than just closing it.
     avoids hangs if a subsystem or shell initialisation writes to stderr.
     bz#1750; ok markus@
2010-05-10 11:53:54 +10:00
Damien Miller
85c50d7858 - djm@cvs.openbsd.org 2010/04/23 22:27:38
[mux.c]
     set "detach_close" flag when registering channel cleanup callbacks.
     This causes the channel to close normally when its fds close and
     hangs when terminating a mux slave using ~. bz#1758; ok markus@
2010-05-10 11:53:02 +10:00
Damien Miller
50af79b118 - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/04/23 01:47:41
     [ssh-keygen.c]
     bz#1740: display a more helpful error message when $HOME is
     inaccessible while trying to create .ssh directory. Based on patch
     from jchadima AT redhat.com; ok dtucker@
2010-05-10 11:52:00 +10:00
Darren Tucker
9f8703b573 - (dtucker) [configure.ac] Bug #1756: Check for the existence of a lib64 dir
in the openssl install directory (some newer openssl versions do this on at
   least some amd64 platforms).
2010-04-23 11:12:06 +10:00
Darren Tucker
e25a9bd740 - (dtucker) [contrib/aix/buildbff.sh] Fix creation of ssh_prng_cmds.default
file.
2010-04-18 13:35:00 +10:00
Damien Miller
53f4bb6599 - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/04/16 01:58:45
     [regress/cert-hostkey.sh regress/cert-userkey.sh]
     regression tests for v01 certificate format
     includes interop tests for v00 certs
2010-04-18 08:15:14 +10:00
Damien Miller
c617aa9ff5 - djm@cvs.openbsd.org 2010/04/16 21:14:27
[sshconnect.c]
     oops, %r => remote username, not %u
2010-04-18 08:08:20 +10:00
Damien Miller
1f181425e9 - jmc@cvs.openbsd.org 2010/04/16 06:47:04
[ssh-keygen.1 ssh-keygen.c]
     tweak previous; ok djm
2010-04-18 08:08:03 +10:00
Damien Miller
c4eddee1b7 - OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2010/04/16 06:45:01
     [ssh_config.5]
     tweak previous; ok djm
2010-04-18 08:07:43 +10:00
Damien Miller
4e270b05dd - djm@cvs.openbsd.org 2010/04/16 01:47:26
[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c]
     [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c]
     [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c]
     [sshconnect.c sshconnect2.c sshd.c]
     revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
     following changes:

     move the nonce field to the beginning of the certificate where it can
     better protect against chosen-prefix attacks on the signature hash

     Rename "constraints" field to "critical options"

     Add a new non-critical "extensions" field

     Add a serial number

     The older format is still support for authentication and cert generation
     (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)

     ok markus@
2010-04-16 15:56:21 +10:00
Damien Miller
031c9100df - markus@cvs.openbsd.org 2010/04/15 20:32:55
[ssh-pkcs11.c]
     retry lookup for private key if there's no matching key with CKA_SIGN
     attribute enabled; this fixes fixes MuscleCard support (bugzilla #1736)
     ok djm@
2010-04-16 15:54:44 +10:00
Damien Miller
b1b17047e3 - djm@cvs.openbsd.org 2010/04/14 22:27:42
[ssh_config.5 sshconnect.c]
     expand %r => remote username in ssh_config:ProxyCommand;
     ok deraadt markus
2010-04-16 15:54:19 +10:00
Damien Miller
601a23c02c - djm@cvs.openbsd.org 2010/04/10 05:48:16
[mux.c]
     fix NULL dereference; from matthew.haub AT alumni.adelaide.edu.au
2010-04-16 15:54:01 +10:00
Damien Miller
88680654ad - djm@cvs.openbsd.org 2010/04/10 02:10:56
[sshconnect2.c]
     show the key type that we are offering in debug(), helps distinguish
     between certs and plain keys as the path to the private key is usually
     the same.
2010-04-16 15:53:43 +10:00
Damien Miller
22c97f1539 - djm@cvs.openbsd.org 2010/04/10 02:08:44
[clientloop.c]
     bz#1698: kill channel when pty allocation requests fail. Fixed
     stuck client if the server refuses pty allocation.
     ok dtucker@ "think so" markus@
2010-04-16 15:53:23 +10:00
Damien Miller
672839994e - djm@cvs.openbsd.org 2010/04/10 00:04:30
[sshconnect.c]
     fix terminology: we didn't find a certificate in known_hosts, we found
     a CA key
2010-04-16 15:53:02 +10:00
Damien Miller
deb5a1423a - djm@cvs.openbsd.org 2010/04/10 00:00:16
[ssh.c]
     bz#1746 - suppress spurious tty warning when using -O and stdin
     is not a tty; ok dtucker@ markus@
2010-04-16 15:52:43 +10:00
Damien Miller
544378da56 - jmc@cvs.openbsd.org 2010/03/27 14:26:55
[ssh_config.5]
     tweak previous; ok dtucker
2010-04-16 15:52:24 +10:00
Damien Miller
67f30d70d9 - jmc@cvs.openbsd.org 2010/03/26 06:54:36
[ssh.1]
     tweak previous;
2010-04-16 15:52:03 +10:00
Damien Miller
d6fc3065da - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/03/26 03:13:17
     [bufaux.c]
     allow buffer_get_int_ret/buffer_get_int64_ret to take a NULL pointer
     argument to allow skipping past values in a buffer
2010-04-16 15:51:45 +10:00
Damien Miller
a45f1c0345 openssh-5.5p1 marker 2010-04-16 15:51:34 +10:00
Darren Tucker
627337d95b - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo
back so we disable the IPv6 tests if we don't have it.
2010-04-10 22:58:01 +10:00
Darren Tucker
261d93a5cf - (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732: enable
utmpx support on FreeBSD where possible.  Patch from Ed Schouten, ok djm@
2010-04-09 18:13:27 +10:00
Darren Tucker
c4ccb12ee4 - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we
have it and the path is not provided to --with-libedit.  Based on a patch
   from Iain Morgan.
2010-04-09 14:04:35 +10:00
Darren Tucker
537d4dcfa0 - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong
ones.  Based on a patch from Roumen Petrov.
2010-04-09 13:35:23 +10:00
Darren Tucker
ce3754bbf3 - dtucker@cvs.openbsd.org 2010/03/26 01:06:13
[ssh_config.5]
     Reformat default value of PreferredAuthentications entry (current
     formatting implies ", " is acceptable as a separator, which it's not.
     ok djm@
2010-03-26 12:09:13 +11:00
Damien Miller
9c60f24f01 - djm@cvs.openbsd.org 2010/03/26 00:26:58
[ssh.1]
     mention that -S none disables connection sharing; from Colin Watson
2010-03-26 11:28:35 +11:00
Damien Miller
df08341060 - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys;
bz#1723 patch from Adeodato Simó via Colin Watson; ok dtucker@
2010-03-26 11:18:27 +11:00
Darren Tucker
ffd1eaadb0 - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 using
pkg-config, patch from Colin Watson.  Needed for newer linkers (ie gold).
2010-03-26 11:16:39 +11:00
Damien Miller
6480c63b75 - (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721
ok dtucker@
2010-03-26 11:09:44 +11:00
Damien Miller
8b90642fcf - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms -
set up SELinux execution context before chroot() call. From Russell
   Coker via Colin watson; bz#1726 ok dtucker@
2010-03-26 11:04:09 +11:00
Damien Miller
44451d0af8 - djm@cvs.openbsd.org 2010/03/25 23:38:28
[servconf.c]
     from portable: getcwd(NULL, 0) doesn't work on all platforms, so
     use a stack buffer; ok dtucker@
2010-03-26 10:40:04 +11:00
Darren Tucker
a83d90fbab - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originally
by Ingo Weinhold via Scott McCreary, ok djm@
2010-03-26 10:27:33 +11:00