![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / usr.bin / ssh
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.31 / (download) - annotate - [select for diffs], Fri Jul 23 03:57:20 2021 UTC (2 years, 9 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1,
OPENBSD_7_0_BASE,
OPENBSD_7_0,
HEAD
Changes since 1.30: +5 -2 lines
Diff to previous 1.30 (colored)
make authorized_keys environment="..." directives first-match-wins and more strictly limit their maximum number; prompted by OOM reported by OSS-fuzz (35470). feedback and ok dtucker@
Revision 1.30 / (download) - annotate - [select for diffs], Thu Aug 27 01:07:09 2020 UTC (3 years, 8 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9,
OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.29: +3 -1 lines
Diff to previous 1.29 (colored)
support for requiring user verified FIDO keys in sshd This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it. feedback and ok markus@
Revision 1.29 / (download) - annotate - [select for diffs], Mon Nov 25 00:54:23 2019 UTC (4 years, 5 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.28: +4 -1 lines
Diff to previous 1.28 (colored)
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus
Revision 1.28 / (download) - annotate - [select for diffs], Tue Jul 9 04:15:00 2019 UTC (4 years, 10 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.27: +4 -1 lines
Diff to previous 1.27 (colored)
cap the number of permiopen/permitlisten directives we're willing to parse on a single authorized_keys line; ok deraadt@
Revision 1.27 / (download) - annotate - [select for diffs], Wed Jun 6 18:23:32 2018 UTC (5 years, 11 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.26: +5 -1 lines
Diff to previous 1.26 (colored)
permitlisten option for authorized_keys; ok markus@
Revision 1.26 / (download) - annotate - [select for diffs], Mon Mar 12 00:52:01 2018 UTC (6 years, 2 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.25: +4 -1 lines
Diff to previous 1.25 (colored)
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
Revision 1.25 / (download) - annotate - [select for diffs], Sat Mar 3 03:15:51 2018 UTC (6 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.24: +13 -33 lines
Diff to previous 1.24 (colored)
switch over to the new authorized_keys options API and remove the legacy one. Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines. feedback and ok markus@
Revision 1.24 / (download) - annotate - [select for diffs], Sat Mar 3 03:06:02 2018 UTC (6 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.23: +69 -1 lines
Diff to previous 1.23 (colored)
Introduce a new API for handling authorized_keys options. This API parses options to a dedicated structure rather than the old API's approach of setting global state. It also includes support for merging options, e.g. from authorized_keys, authorized_principals and/or certificates. feedback and ok markus@
Revision 1.23 / (download) - annotate - [select for diffs], Wed May 31 10:54:00 2017 UTC (6 years, 11 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.22: +2 -2 lines
Diff to previous 1.22 (colored)
make sure we don't pass a NULL string to vfprintf (triggered by the principals-command regress test); ok bluhm
Revision 1.22 / (download) - annotate - [select for diffs], Wed Nov 30 02:57:40 2016 UTC (7 years, 5 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.21: +2 -2 lines
Diff to previous 1.21 (colored)
When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced- command override the other could be a bit confused and more error-prone. Pointed out by Jann Horn of Project Zero; ok dtucker@
Revision 1.21 / (download) - annotate - [select for diffs], Wed Jan 14 10:30:34 2015 UTC (9 years, 4 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9,
OPENBSD_5_8_BASE,
OPENBSD_5_8,
OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)
swith auth-options to new sshbuf/sshkey; ok djm@
Revision 1.20 / (download) - annotate - [select for diffs], Fri May 7 11:30:29 2010 UTC (14 years ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6,
OPENBSD_5_5_BASE,
OPENBSD_5_5,
OPENBSD_5_4_BASE,
OPENBSD_5_4,
OPENBSD_5_3_BASE,
OPENBSD_5_3,
OPENBSD_5_2_BASE,
OPENBSD_5_2,
OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0,
OPENBSD_4_9_BASE,
OPENBSD_4_9,
OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.19: +2 -1 lines
Diff to previous 1.19 (colored)
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@
Revision 1.19 / (download) - annotate - [select for diffs], Fri Apr 16 01:47:26 2010 UTC (14 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.18: +2 -2 lines
Diff to previous 1.18 (colored)
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
following changes:
move the nonce field to the beginning of the certificate where it can
better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation
(use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
Revision 1.18 / (download) - annotate - [select for diffs], Fri Feb 26 20:29:54 2010 UTC (14 years, 2 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.17: +3 -1 lines
Diff to previous 1.17 (colored)
Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
Revision 1.17 / (download) - annotate - [select for diffs], Wed Mar 26 21:28:14 2008 UTC (16 years, 1 month ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6,
OPENBSD_4_5_BASE,
OPENBSD_4_5,
OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.16: +2 -1 lines
Diff to previous 1.16 (colored)
add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc
Revision 1.12.14.2 / (download) - annotate - [select for diffs], Fri Oct 6 03:19:32 2006 UTC (17 years, 7 months ago) by brad
Branch: OPENBSD_3_8
Changes since 1.12.14.1: +1 -1 lines
Diff to previous 1.12.14.1 (colored) to branchpoint 1.12 (colored) next main 1.13 (colored)
upgrade to OpenSSH 4.4
Revision 1.13.2.1 / (download) - annotate - [select for diffs], Sat Sep 30 04:06:50 2006 UTC (17 years, 7 months ago) by brad
Branch: OPENBSD_3_9
Changes since 1.13: +1 -1 lines
Diff to previous 1.13 (colored) next main 1.14 (colored)
upgrade to OpenSSH 4.4
Revision 1.16 / (download) - annotate - [select for diffs], Thu Aug 3 03:34:41 2006 UTC (17 years, 9 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3,
OPENBSD_4_2_BASE,
OPENBSD_4_2,
OPENBSD_4_1_BASE,
OPENBSD_4_1,
OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.15: +1 -5 lines
Diff to previous 1.15 (colored)
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
Revision 1.15 / (download) - annotate - [select for diffs], Thu Jul 6 16:03:53 2006 UTC (17 years, 10 months ago) by stevesk
Branch: MAIN
Changes since 1.14: +5 -1 lines
Diff to previous 1.14 (colored)
move #include <pwd.h> out of includes.h; ok markus@
Revision 1.14 / (download) - annotate - [select for diffs], Sat Mar 25 22:22:42 2006 UTC (18 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.13: +1 -1 lines
Diff to previous 1.13 (colored)
standardise spacing in $OpenBSD$ tags; requested by deraadt@
Revision 1.12.14.1 / (download) - annotate - [select for diffs], Fri Feb 3 03:01:55 2006 UTC (18 years, 3 months ago) by brad
Branch: OPENBSD_3_8
Changes since 1.12: +2 -1 lines
Diff to previous 1.12 (colored)
upgrade to OpenSSH 4.3
Revision 1.12.12.1 / (download) - annotate - [select for diffs], Fri Feb 3 02:53:44 2006 UTC (18 years, 3 months ago) by brad
Branch: OPENBSD_3_7
Changes since 1.12: +2 -1 lines
Diff to previous 1.12 (colored) next main 1.13 (colored)
upgrade to OpenSSH 4.3
Revision 1.13 / (download) - annotate - [select for diffs], Tue Dec 6 22:38:27 2005 UTC (18 years, 5 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE
Branch point for: OPENBSD_3_9
Changes since 1.12: +2 -1 lines
Diff to previous 1.12 (colored)
Add support for tun(4) forwarding over OpenSSH, based on an idea and initial channel code bits by markus@. This is a simple and easy way to use OpenSSH for ad hoc virtual private network connections, e.g. administrative tunnels or secure wireless access. It's based on a new ssh channel and works similar to the existing TCP forwarding support, except that it depends on the tun(4) network interface on both ends of the connection for layer 2 or layer 3 tunneling. This diff also adds support for LocalCommand in the ssh(1) client. ok djm@, markus@, jmc@ (manpages), tested and discussed with others
Revision 1.10.2.2 / (download) - annotate - [select for diffs], Fri Oct 11 14:53:06 2002 UTC (21 years, 7 months ago) by miod
Branch: OPENBSD_3_0
Changes since 1.10.2.1: +1 -2 lines
Diff to previous 1.10.2.1 (colored) to branchpoint 1.10 (colored) next main 1.11 (colored)
Update to OpenSSH 3.5
Revision 1.11.2.1 / (download) - annotate - [select for diffs], Fri Oct 11 14:51:51 2002 UTC (21 years, 7 months ago) by miod
Branch: OPENBSD_3_1
Changes since 1.11: +1 -2 lines
Diff to previous 1.11 (colored) next main 1.12 (colored)
Update to OpenSSH 3.5
Revision 1.12 / (download) - annotate - [select for diffs], Sun Jul 21 18:34:43 2002 UTC (21 years, 10 months ago) by stevesk
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_7_BASE,
OPENBSD_3_6_BASE,
OPENBSD_3_6,
OPENBSD_3_5_BASE,
OPENBSD_3_5,
OPENBSD_3_4_BASE,
OPENBSD_3_4,
OPENBSD_3_3_BASE,
OPENBSD_3_3,
OPENBSD_3_2_BASE,
OPENBSD_3_2
Branch point for: OPENBSD_3_8,
OPENBSD_3_7
Changes since 1.11: +1 -2 lines
Diff to previous 1.11 (colored)
remove invalid comment
Revision 1.8.2.2 / (download) - annotate - [select for diffs], Sat Mar 9 00:20:43 2002 UTC (22 years, 2 months ago) by miod
Branch: OPENBSD_2_9
Changes since 1.8.2.1: +2 -2 lines
Diff to previous 1.8.2.1 (colored) to branchpoint 1.8 (colored) next main 1.9 (colored)
Merge OpenSSH 3.1, keeping /etc as configuration files directory. (i.e. OpenSSH 3.1 + openbsd29_3.1.patch)
Revision 1.5.2.6 / (download) - annotate - [select for diffs], Fri Mar 8 17:04:41 2002 UTC (22 years, 2 months ago) by brad
Branch: OPENBSD_2_8
Changes since 1.5.2.5: +2 -2 lines
Diff to previous 1.5.2.5 (colored) to branchpoint 1.5 (colored) next main 1.6 (colored)
Merge OpenSSH 3.1.
Revision 1.10.2.1 / (download) - annotate - [select for diffs], Thu Mar 7 17:37:46 2002 UTC (22 years, 2 months ago) by jason
Branch: OPENBSD_3_0
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)
Update to OpenSSH-3.1 on 3.0-stable branch
Revision 1.11 / (download) - annotate - [select for diffs], Mon Mar 4 17:27:39 2002 UTC (22 years, 2 months ago) by stevesk
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE
Branch point for: OPENBSD_3_1
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)
$OpenBSD$ and RCSID() cleanup: don't use RCSID() in .h files; add missing RCSID() to .c files and remove dup /*$OpenBSD$*/ from .c files. ok markus@
Revision 1.8.2.1 / (download) - annotate - [select for diffs], Thu Sep 27 19:03:54 2001 UTC (22 years, 7 months ago) by jason
Branch: OPENBSD_2_9
Changes since 1.8: +2 -10 lines
Diff to previous 1.8 (colored)
Pull in OpenSSH-2.9.9
Revision 1.5.2.5 / (download) - annotate - [select for diffs], Thu Sep 27 00:15:41 2001 UTC (22 years, 7 months ago) by miod
Branch: OPENBSD_2_8
Changes since 1.5.2.4: +2 -10 lines
Diff to previous 1.5.2.4 (colored) to branchpoint 1.5 (colored)
Pull in OpenSSH 2.9.9 to the 2.8 branch.
Revision 1.10 / (download) - annotate - [select for diffs], Tue Jun 26 17:27:22 2001 UTC (22 years, 10 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_0_BASE
Branch point for: OPENBSD_3_0
Changes since 1.9: +2 -9 lines
Diff to previous 1.9 (colored)
remove comments from .h, since they are cut&paste from the .c files and out of sync
Revision 1.9 / (download) - annotate - [select for diffs], Tue Jun 26 06:32:47 2001 UTC (22 years, 10 months ago) by itojun
Branch: MAIN
Changes since 1.8: +2 -3 lines
Diff to previous 1.8 (colored)
prototype pedant. not very creative... - () -> (void) - no variable names
Revision 1.5.2.4 / (download) - annotate - [select for diffs], Mon May 7 21:09:25 2001 UTC (23 years ago) by jason
Branch: OPENBSD_2_8
Changes since 1.5.2.3: +0 -0 lines
Diff to previous 1.5.2.3 (colored) to branchpoint 1.5 (colored)
Pull in OpenSSH-2.9 to 2.8 branch.
Revision 1.5.2.3 / (download) - annotate - [select for diffs], Wed Mar 21 19:46:22 2001 UTC (23 years, 2 months ago) by jason
Branch: OPENBSD_2_8
Changes since 1.5.2.2: +0 -0 lines
Diff to previous 1.5.2.2 (colored) to branchpoint 1.5 (colored)
Pull in OpenSSH-2.5.2 for 2.8 branch.
Revision 1.1.2.4 / (download) - annotate - [select for diffs], Wed Mar 21 18:52:32 2001 UTC (23 years, 2 months ago) by jason
Branch: OPENBSD_2_7
Changes since 1.1.2.3: +0 -0 lines
Diff to previous 1.1.2.3 (colored) next main 1.2 (colored)
Pull in OpenSSH-2.5.2 for 2.7 branch.
Revision 1.1.2.3 / (download) - annotate - [select for diffs], Mon Mar 12 15:44:07 2001 UTC (23 years, 2 months ago) by jason
Branch: OPENBSD_2_7
Changes since 1.1.2.2: +16 -3 lines
Diff to previous 1.1.2.2 (colored)
OpenSSH-2.5.1 for 2.7 patch branch
Revision 1.5.2.2 / (download) - annotate - [select for diffs], Mon Feb 19 17:18:34 2001 UTC (23 years, 3 months ago) by jason
Branch: OPENBSD_2_8
Changes since 1.5.2.1: +0 -0 lines
Diff to previous 1.5.2.1 (colored) to branchpoint 1.5 (colored)
Pull in OpenSSH-2.5.1
Revision 1.5.2.1 / (download) - annotate - [select for diffs], Fri Feb 16 20:12:51 2001 UTC (23 years, 3 months ago) by jason
Branch: OPENBSD_2_8
Changes since 1.5: +16 -3 lines
Diff to previous 1.5 (colored)
Pull in OpenSSH 2.5.0
Revision 1.8 / (download) - annotate - [select for diffs], Sun Jan 21 19:05:42 2001 UTC (23 years, 3 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_2_9_BASE
Branch point for: OPENBSD_2_9
Changes since 1.7: +8 -1 lines
Diff to previous 1.7 (colored)
split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch]
Revision 1.7 / (download) - annotate - [select for diffs], Sat Jan 20 15:55:20 2001 UTC (23 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.6: +9 -3 lines
Diff to previous 1.6 (colored)
pass the filename to auth_parse_options()
Revision 1.6 / (download) - annotate - [select for diffs], Tue Dec 19 23:17:55 2000 UTC (23 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
Revision 1.1.2.2 / (download) - annotate - [select for diffs], Wed Nov 8 21:30:18 2000 UTC (23 years, 6 months ago) by jason
Branch: OPENBSD_2_7
Changes since 1.1.2.1: +18 -0 lines
Diff to previous 1.1.2.1 (colored)
openssh-2.3.0 (again) for 2.7 branch
Revision 1.5 / (download) - annotate - [select for diffs], Mon Oct 16 09:38:44 2000 UTC (23 years, 7 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_2_8_BASE
Branch point for: OPENBSD_2_8
Changes since 1.4: +3 -0 lines
Diff to previous 1.4 (colored)
Add idents for files which lack them Fix idents Id -> OpenBSD for the rest
Revision 1.4 / (download) - annotate - [select for diffs], Wed Oct 11 20:00:26 2000 UTC (23 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.3: +3 -0 lines
Diff to previous 1.3 (colored)
clear auth options unless auth sucessfull
Revision 1.3 / (download) - annotate - [select for diffs], Thu Sep 7 21:13:36 2000 UTC (23 years, 8 months ago) by markus
Branch: MAIN
Changes since 1.2: +9 -20 lines
Diff to previous 1.2 (colored)
some more Copyright fixes
Revision 1.2 / (download) - annotate - [select for diffs], Thu Sep 7 20:27:49 2000 UTC (23 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.1: +23 -0 lines
Diff to previous 1.1 (colored)
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
Revision 1.1.2.1 / (download) - annotate - [select for diffs], Fri Sep 1 18:23:16 2000 UTC (23 years, 8 months ago) by jason
Branch: OPENBSD_2_7
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)
Pull in the rest of openssh-2.2.0 to 2.7 branch (luvin' cvs...)
Revision 1.1 / (download) - annotate - [select for diffs], Sun Jun 18 04:05:02 2000 UTC (23 years, 11 months ago) by markus
Branch: MAIN
Branch point for: OPENBSD_2_7
split auth-rsa option parsing into auth-options add options support to authorized_keys2