![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / usr.bin / ssh
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.120 / (download) - annotate - [select for diffs], Fri May 17 00:30:23 2024 UTC (110 minutes, 11 seconds ago) by djm
Branch: MAIN
CVS Tags: HEAD
Changes since 1.119: +7 -8 lines
Diff to previous 1.119 (colored)
Start the process of splitting sshd into separate binaries. This step splits sshd into a listener and a session binary. More splits are planned. After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs. This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary. feedback/ok markus@ deraadt@ NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out.
Revision 1.119 / (download) - annotate - [select for diffs], Thu Jul 27 22:25:17 2023 UTC (9 months, 2 weeks ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.118: +23 -12 lines
Diff to previous 1.118 (colored)
make sshd_config AuthorizedPrincipalsCommand and AuthorizedKeysCommand accept the %D (routing domain) and a new %C (connection address/port 4-tuple) as expansion sequences; ok markus
Revision 1.118 / (download) - annotate - [select for diffs], Fri Feb 17 04:22:50 2023 UTC (14 months, 4 weeks ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.117: +1 -7 lines
Diff to previous 1.117 (colored)
Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this was removed in OpenSSH 7.7 when support for SSH implementations dating back to before RFC standardization were removed. "burn it all" djm@
Revision 1.117 / (download) - annotate - [select for diffs], Sat Sep 17 10:34:29 2022 UTC (19 months, 4 weeks ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.116: +6 -1 lines
Diff to previous 1.116 (colored)
Add RequiredRSASize for sshd(8); RSA keys that fall beneath this limit will be ignored for user and host-based authentication. Feedback deraadt@ ok markus@
Revision 1.116 / (download) - annotate - [select for diffs], Wed Jun 15 16:08:25 2022 UTC (23 months ago) by djm
Branch: MAIN
Changes since 1.115: +8 -11 lines
Diff to previous 1.115 (colored)
make sure that UseDNS hostname lookup happens in the monitor and not in the pledge(2)'d unprivileged process; fixes regression caused by recent refactoring spotted by henning@
Revision 1.115 / (download) - annotate - [select for diffs], Fri May 27 05:02:46 2022 UTC (23 months, 3 weeks ago) by djm
Branch: MAIN
Changes since 1.114: +6 -305 lines
Diff to previous 1.114 (colored)
split the low-level file handling functions out from auth2-pubkey.c Put them in a new auth2-pubkeyfile.c to make it easier to refer to them (e.g. in unit/fuzz tests) without having to refer to everything else pubkey auth brings in. ok dtucker@
Revision 1.114 / (download) - annotate - [select for diffs], Fri May 27 05:01:25 2022 UTC (23 months, 3 weeks ago) by djm
Branch: MAIN
Changes since 1.113: +55 -37 lines
Diff to previous 1.113 (colored)
refactor authorized_keys/principals handling remove "struct ssh *" from arguments - this was only used to pass the remote host/address. These can be passed in instead and the resulting code is less tightly coupled to ssh_api.[ch] ok dtucker@
Revision 1.113 / (download) - annotate - [select for diffs], Sun Feb 27 01:33:59 2022 UTC (2 years, 2 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.112: +3 -3 lines
Diff to previous 1.112 (colored)
include rejected signature algorithm in error message and not the (useless) key type; ok djm@
Revision 1.112 / (download) - annotate - [select for diffs], Sun Dec 19 22:12:30 2021 UTC (2 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.111: +29 -8 lines
Diff to previous 1.111 (colored)
sshd side of hostbound public key auth This is identical to the standard "publickey" method, but it also includes the initial server hostkey in the message signed by the client. feedback / ok markus@
Revision 1.111 / (download) - annotate - [select for diffs], Sun Dec 19 22:12:07 2021 UTC (2 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.110: +4 -3 lines
Diff to previous 1.110 (colored)
prepare for multiple names for authmethods allow authentication methods to have one additional name beyond their primary name. allow lookup by this synonym Use primary name for authentication decisions, e.g. for PermitRootLogin=publickey Pass actual invoked name to the authmethods, so they can tell whether they were requested via the their primary name or synonym. ok markus@
Revision 1.110 / (download) - annotate - [select for diffs], Wed Sep 29 01:33:32 2021 UTC (2 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.109: +8 -3 lines
Diff to previous 1.109 (colored)
add some debug output showing how many key file/command lines were processed. Useful to see whether a file or command actually has keys present
Revision 1.109 / (download) - annotate - [select for diffs], Fri Jul 23 03:37:52 2021 UTC (2 years, 9 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.108: +3 -3 lines
Diff to previous 1.108 (colored)
Let allowed signers files used by ssh-keygen(1) signatures support key lifetimes, and allow the verification mode to specify a signature time to check at. This is intended for use by git to support signing objects using ssh keys. ok dtucker@
Revision 1.108 / (download) - annotate - [select for diffs], Tue Jun 8 06:54:40 2021 UTC (2 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.107: +4 -3 lines
Diff to previous 1.107 (colored)
Allow argv_split() to optionally terminate tokenisation when it encounters an unquoted comment. Add some additional utility function for working with argument vectors, since we'll be switching to using them to parse ssh/sshd_config shortly. ok markus@ as part of a larger diff; tested in snaps
Revision 1.107 / (download) - annotate - [select for diffs], Sat Apr 3 06:18:40 2021 UTC (3 years, 1 month ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.106: +4 -3 lines
Diff to previous 1.106 (colored)
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
Revision 1.106 / (download) - annotate - [select for diffs], Wed Jan 27 10:05:28 2021 UTC (3 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.105: +5 -6 lines
Diff to previous 1.105 (colored)
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
Revision 1.105 / (download) - annotate - [select for diffs], Tue Jan 26 00:49:30 2021 UTC (3 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.104: +3 -3 lines
Diff to previous 1.104 (colored)
move check_host_cert() from sshconnect,c to sshkey.c and refactor it to make it more generally usable and testable. ok markus@
Revision 1.104 / (download) - annotate - [select for diffs], Fri Jan 22 02:44:58 2021 UTC (3 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.103: +3 -3 lines
Diff to previous 1.103 (colored)
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
Revision 1.103 / (download) - annotate - [select for diffs], Tue Dec 22 00:12:22 2020 UTC (3 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.102: +7 -5 lines
Diff to previous 1.102 (colored)
move subprocess() from auth.c to misc.c make privilege dropping optional but allow it via callbacks (to avoid need to link uidswap.c everywhere) add some other flags (keep environment, disable strict path safety check) that make this more useful for client-side use. feedback & ok markus@
Revision 1.102 / (download) - annotate - [select for diffs], Thu Dec 17 23:28:50 2020 UTC (3 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.101: +3 -3 lines
Diff to previous 1.101 (colored)
fix possible error("%s", NULL) on error paths
Revision 1.101 / (download) - annotate - [select for diffs], Sun Oct 18 11:32:01 2020 UTC (3 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.100: +46 -58 lines
Diff to previous 1.100 (colored)
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
Revision 1.100 / (download) - annotate - [select for diffs], Thu Aug 27 01:07:09 2020 UTC (3 years, 8 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.99: +16 -2 lines
Diff to previous 1.99 (colored)
support for requiring user verified FIDO keys in sshd This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it. feedback and ok markus@
Revision 1.99 / (download) - annotate - [select for diffs], Thu Feb 6 22:30:54 2020 UTC (4 years, 3 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.98: +3 -2 lines
Diff to previous 1.98 (colored)
Replace "security key" with "authenticator" in program messages. This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key". ok djm@
Revision 1.98 / (download) - annotate - [select for diffs], Thu Jan 23 07:10:22 2020 UTC (4 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.97: +5 -5 lines
Diff to previous 1.97 (colored)
Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
Revision 1.97 / (download) - annotate - [select for diffs], Mon Nov 25 00:54:23 2019 UTC (4 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.96: +3 -2 lines
Diff to previous 1.96 (colored)
add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus
Revision 1.96 / (download) - annotate - [select for diffs], Mon Nov 25 00:52:46 2019 UTC (4 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.95: +19 -3 lines
Diff to previous 1.95 (colored)
Add a sshd_config PubkeyAuthOptions directive This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key). ok markus@
Revision 1.95 / (download) - annotate - [select for diffs], Mon Nov 25 00:51:37 2019 UTC (4 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.94: +9 -2 lines
Diff to previous 1.94 (colored)
Add new structure for signature options This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field. with and ok markus@
Revision 1.94 / (download) - annotate - [select for diffs], Fri Sep 6 04:53:27 2019 UTC (4 years, 8 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.93: +2 -1 lines
Diff to previous 1.93 (colored)
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
Revision 1.93 / (download) - annotate - [select for diffs], Tue Sep 3 08:30:47 2019 UTC (4 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.92: +2 -24 lines
Diff to previous 1.92 (colored)
move advance_past_options to authfile.c and make it public; ok markus@
Revision 1.92 / (download) - annotate - [select for diffs], Tue Sep 3 08:29:58 2019 UTC (4 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.91: +1 -11 lines
Diff to previous 1.91 (colored)
move skip_space() to misc.c and make it public; ok markus@
Revision 1.91 / (download) - annotate - [select for diffs], Tue Jul 16 13:18:39 2019 UTC (4 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.90: +2 -2 lines
Diff to previous 1.90 (colored)
remove mostly vestigal uuencode.[ch]; moving the only unique functionality there (wrapping of base64-encoded data) to sshbuf functions; feedback and ok markus@
Revision 1.90 / (download) - annotate - [select for diffs], Fri Jun 21 03:19:59 2019 UTC (4 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.89: +3 -3 lines
Diff to previous 1.89 (colored)
print the correct AuthorizedPrincipalsCommand rather than an uninitialised variable; spotted by dtucker@
Revision 1.89 / (download) - annotate - [select for diffs], Fri Jun 14 03:39:59 2019 UTC (4 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.88: +18 -11 lines
Diff to previous 1.88 (colored)
for public key authentication, check AuthorizedKeysFiles files before consulting AuthorizedKeysCommand; ok dtucker markus
Revision 1.88 / (download) - annotate - [select for diffs], Mon May 20 00:25:55 2019 UTC (4 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.87: +2 -2 lines
Diff to previous 1.87 (colored)
embiggen format buffer size for certificate serial number so that it will fit a full 64 bit integer. bz#3012 from Manoel Domingues Junior
Revision 1.87 / (download) - annotate - [select for diffs], Tue Jan 22 11:26:16 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.86: +17 -1 lines
Diff to previous 1.86 (colored)
print the full pubkey being attempted at loglevel >= debug2; bz2939
Revision 1.86 / (download) - annotate - [select for diffs], Thu Sep 20 03:28:06 2018 UTC (5 years, 7 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.85: +8 -2 lines
Diff to previous 1.85 (colored)
Add sshd_config CASignatureAlgorithms option to allow control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@
Revision 1.85 / (download) - annotate - [select for diffs], Tue Aug 28 12:25:53 2018 UTC (5 years, 8 months ago) by mestre
Branch: MAIN
Changes since 1.84: +2 -2 lines
Diff to previous 1.84 (colored)
fix misplaced parenthesis inside if-clause. it's harmless and the only issue is showing an unknown error (since it's not defined) during fatal(), if it ever an error occurs inside that condition. OK deraadt@ markus@ djm@
Revision 1.84 / (download) - annotate - [select for diffs], Thu Aug 23 03:01:08 2018 UTC (5 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.83: +2 -2 lines
Diff to previous 1.83 (colored)
memleak introduced in r1.83; from Colin Watson
Revision 1.83 / (download) - annotate - [select for diffs], Tue Jul 31 03:10:27 2018 UTC (5 years, 9 months ago) by djm
Branch: MAIN
Changes since 1.82: +15 -10 lines
Diff to previous 1.82 (colored)
delay bailout for invalid authenticating user until after the packet containing the request has been fully parsed. Reported by Dariusz Tytko and MichaĆ Sajdak; ok deraadt
Revision 1.82 / (download) - annotate - [select for diffs], Wed Jul 11 18:55:11 2018 UTC (5 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.81: +3 -3 lines
Diff to previous 1.81 (colored)
treat ssh_packet_write_wait() errors as fatal; ok djm@
Revision 1.81 / (download) - annotate - [select for diffs], Mon Jul 9 21:35:50 2018 UTC (5 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.80: +2 -2 lines
Diff to previous 1.80 (colored)
sshd: switch authentication to sshbuf API; ok djm@
Revision 1.80 / (download) - annotate - [select for diffs], Tue Jul 3 11:39:54 2018 UTC (5 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.79: +7 -6 lines
Diff to previous 1.79 (colored)
Improve strictness and control over RSA-SHA2 signature types: In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@
Revision 1.79 / (download) - annotate - [select for diffs], Wed Jun 6 18:29:18 2018 UTC (5 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.78: +11 -5 lines
Diff to previous 1.78 (colored)
switch config file parsing to getline(3) as this avoids static limits noted by gerhard@; ok dtucker@, djm@
Revision 1.78 / (download) - annotate - [select for diffs], Fri Jun 1 03:33:53 2018 UTC (5 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.77: +9 -3 lines
Diff to previous 1.77 (colored)
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
Revision 1.77 / (download) - annotate - [select for diffs], Sat Mar 3 03:15:51 2018 UTC (6 years, 2 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.76: +366 -168 lines
Diff to previous 1.76 (colored)
switch over to the new authorized_keys options API and remove the legacy one. Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines. feedback and ok markus@
Revision 1.76 / (download) - annotate - [select for diffs], Wed Feb 7 22:52:45 2018 UTC (6 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.75: +3 -5 lines
Diff to previous 1.75 (colored)
ssh_free checks for and handles NULL args, remove NULL checks from remaining callers. ok djm@
Revision 1.75 / (download) - annotate - [select for diffs], Tue Jan 23 05:27:21 2018 UTC (6 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.74: +10 -37 lines
Diff to previous 1.74 (colored)
Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations. ok markus@
Revision 1.74 / (download) - annotate - [select for diffs], Thu Dec 21 00:00:28 2017 UTC (6 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.73: +2 -2 lines
Diff to previous 1.73 (colored)
revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan.
Revision 1.73 / (download) - annotate - [select for diffs], Tue Dec 19 00:24:34 2017 UTC (6 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.72: +28 -8 lines
Diff to previous 1.72 (colored)
include signature type and CA key (if applicable) in some debug messages
Revision 1.72 / (download) - annotate - [select for diffs], Mon Dec 18 02:25:15 2017 UTC (6 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.71: +2 -2 lines
Diff to previous 1.71 (colored)
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
Revision 1.71 / (download) - annotate - [select for diffs], Thu Sep 7 23:48:09 2017 UTC (6 years, 8 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.70: +2 -2 lines
Diff to previous 1.70 (colored)
typo in comment
Revision 1.70 / (download) - annotate - [select for diffs], Fri Aug 18 05:48:04 2017 UTC (6 years, 9 months ago) by djm
Branch: MAIN
Changes since 1.69: +3 -3 lines
Diff to previous 1.69 (colored)
add a "quiet" flag to exited_cleanly() that supresses errors about exit status (failure due to signal is still reported)
Revision 1.69 / (download) - annotate - [select for diffs], Fri Aug 18 05:36:45 2017 UTC (6 years, 9 months ago) by djm
Branch: MAIN
Changes since 1.68: +9 -290 lines
Diff to previous 1.68 (colored)
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition. feedback & ok dtucker@
Revision 1.68 / (download) - annotate - [select for diffs], Sat Jun 24 06:34:38 2017 UTC (6 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.67: +4 -76 lines
Diff to previous 1.67 (colored)
refactor authentication logging optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@
Revision 1.67 / (download) - annotate - [select for diffs], Wed May 31 10:54:00 2017 UTC (6 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.66: +4 -5 lines
Diff to previous 1.66 (colored)
make sure we don't pass a NULL string to vfprintf (triggered by the principals-command regress test); ok bluhm
Revision 1.66 / (download) - annotate - [select for diffs], Wed May 31 09:15:42 2017 UTC (6 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.65: +5 -4 lines
Diff to previous 1.65 (colored)
Switch to recallocarray() for a few operations. Both growth and shrinkage are handled safely, and there also is no need for preallocation dances. Future changes in this area will be less error prone. Review and one bug found by markus
Revision 1.65 / (download) - annotate - [select for diffs], Tue May 30 14:29:59 2017 UTC (6 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.64: +3 -3 lines
Diff to previous 1.64 (colored)
switch auth2 to ssh_dispatch API; ok djm@
Revision 1.64 / (download) - annotate - [select for diffs], Tue May 30 14:10:53 2017 UTC (6 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.63: +111 -83 lines
Diff to previous 1.63 (colored)
switch auth2-pubkey.c to modern APIs; with & ok djm@
Revision 1.63 / (download) - annotate - [select for diffs], Tue May 30 08:52:19 2017 UTC (6 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.62: +10 -9 lines
Diff to previous 1.62 (colored)
switch from Key typedef with struct sshkey; ok djm@
Revision 1.62 / (download) - annotate - [select for diffs], Mon Jan 30 01:03:00 2017 UTC (7 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.61: +12 -5 lines
Diff to previous 1.61 (colored)
revise keys/principals command hang fix (bz#2655) to consume entire output, avoiding sending SIGPIPE to subprocesses early; ok dtucker@
Revision 1.61 / (download) - annotate - [select for diffs], Fri Dec 30 22:08:02 2016 UTC (7 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.60: +7 -1 lines
Diff to previous 1.60 (colored)
fix deadlock when keys/principals command produces a lot of output and a key is matched early; bz#2655, patch from jboning AT gmail.com
Revision 1.60 / (download) - annotate - [select for diffs], Wed Nov 30 02:57:40 2016 UTC (7 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.59: +8 -10 lines
Diff to previous 1.59 (colored)
When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced- command override the other could be a bit confused and more error-prone. Pointed out by Jann Horn of Project Zero; ok dtucker@
Revision 1.59 / (download) - annotate - [select for diffs], Wed Sep 21 17:44:20 2016 UTC (7 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.58: +3 -2 lines
Diff to previous 1.58 (colored)
cast uint64_t for printf
Revision 1.58 / (download) - annotate - [select for diffs], Wed Sep 21 01:34:45 2016 UTC (7 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.57: +5 -1 lines
Diff to previous 1.57 (colored)
add a way for principals command to get see key ID and serial too
Revision 1.57 / (download) - annotate - [select for diffs], Wed Sep 14 20:11:26 2016 UTC (7 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.56: +2 -2 lines
Diff to previous 1.56 (colored)
take fingerprint of correct key for AuthorizedPrincipalsCommand
Revision 1.56 / (download) - annotate - [select for diffs], Wed Sep 14 05:42:25 2016 UTC (7 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.55: +35 -5 lines
Diff to previous 1.55 (colored)
add %-escapes to AuthorizedPrincipalsCommand to match those supported for AuthorizedKeysCommand (key, key type, fingerprint, etc) and a few more to provide access to the certificate's CA key; 'looks ok' dtucker@
Revision 1.55 / (download) - annotate - [select for diffs], Wed Jan 27 00:53:12 2016 UTC (8 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.54: +16 -11 lines
Diff to previous 1.54 (colored)
make the debug messages a bit more useful here
Revision 1.54 / (download) - annotate - [select for diffs], Tue Oct 27 01:44:45 2015 UTC (8 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.53: +7 -4 lines
Diff to previous 1.53 (colored)
log certificate serial in verbose() messages to match the main auth success/fail message; ok dtucker@
Revision 1.53 / (download) - annotate - [select for diffs], Mon Jun 15 18:44:22 2015 UTC (8 years, 11 months ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.52: +7 -6 lines
Diff to previous 1.52 (colored)
If AuthorizedPrincipalsCommand is specified, however AuthorizedPrincipalsFile is not (or is set to "none"), authentication will potentially fail due to key_cert_check_authority() failing to locate a principal that matches the username, even though an authorized principal has already been matched in the output of the subprocess. Fix this by using the same logic to determine if pw->pw_name should be passed, as is used to determine if a authorized principal must be matched earlier on. ok djm@
Revision 1.52 / (download) - annotate - [select for diffs], Mon Jun 15 18:42:19 2015 UTC (8 years, 11 months ago) by jsing
Branch: MAIN
Changes since 1.51: +4 -4 lines
Diff to previous 1.51 (colored)
Make the arguments to match_principals_command() similar to match_principals_file(), by changing the last argument a struct sshkey_cert * and dereferencing key->cert in the caller. No functional change. ok djm@
Revision 1.51 / (download) - annotate - [select for diffs], Thu May 21 06:43:30 2015 UTC (8 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.50: +127 -23 lines
Diff to previous 1.50 (colored)
add AuthorizedPrincipalsCommand that allows getting authorized_principals from a subprocess rather than a file, which is quite useful in deployments with large userbases feedback and ok markus@
Revision 1.50 / (download) - annotate - [select for diffs], Thu May 21 06:38:35 2015 UTC (8 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.49: +361 -103 lines
Diff to previous 1.49 (colored)
support arguments to AuthorizedKeysCommand bz#2081 loosely based on patch by Sami Hartikainen feedback and ok markus@
Revision 1.49 / (download) - annotate - [select for diffs], Mon May 4 06:10:48 2015 UTC (9 years ago) by djm
Branch: MAIN
Changes since 1.48: +3 -3 lines
Diff to previous 1.48 (colored)
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern). Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools. ok markus@
Revision 1.48 / (download) - annotate - [select for diffs], Fri May 1 03:23:51 2015 UTC (9 years ago) by djm
Branch: MAIN
Changes since 1.47: +4 -4 lines
Diff to previous 1.47 (colored)
prevent authorized_keys options picked up on public key tests without a corresponding private key authentication being applied to other authentication methods. Reported by halex@, ok markus@
Revision 1.47 / (download) - annotate - [select for diffs], Tue Feb 17 00:14:05 2015 UTC (9 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.46: +3 -3 lines
Diff to previous 1.46 (colored)
Regression: I broke logging of public key fingerprints in 1.46. Pointed out by Pontus Lundkvist
Revision 1.46 / (download) - annotate - [select for diffs], Wed Jan 28 22:36:00 2015 UTC (9 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.45: +17 -12 lines
Diff to previous 1.45 (colored)
update to new API (key_fingerprint => sshkey_fingerprint) check sshkey_fingerprint return values; ok markus
Revision 1.45 / (download) - annotate - [select for diffs], Tue Jan 13 07:39:19 2015 UTC (9 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.44: +8 -1 lines
Diff to previous 1.44 (colored)
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
Revision 1.44 / (download) - annotate - [select for diffs], Mon Dec 22 07:51:30 2014 UTC (9 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.43: +40 -2 lines
Diff to previous 1.43 (colored)
remember which public keys have been used for authentication and refuse to accept previously-used keys. This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys. ok markus@
Revision 1.43 / (download) - annotate - [select for diffs], Sun Dec 21 22:27:56 2014 UTC (9 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.42: +9 -7 lines
Diff to previous 1.42 (colored)
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
Revision 1.42 / (download) - annotate - [select for diffs], Thu Dec 4 02:24:32 2014 UTC (9 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.41: +3 -3 lines
Diff to previous 1.41 (colored)
add RevokedHostKeys option for the client Allow textfile or KRL-based revocation of hostkeys.
Revision 1.41 / (download) - annotate - [select for diffs], Tue Jul 15 15:54:14 2014 UTC (9 years, 10 months ago) by millert
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.40: +2 -2 lines
Diff to previous 1.40 (colored)
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
Revision 1.40 / (download) - annotate - [select for diffs], Tue Jun 24 01:13:21 2014 UTC (9 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.39: +3 -3 lines
Diff to previous 1.39 (colored)
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
Revision 1.39 / (download) - annotate - [select for diffs], Mon Dec 30 23:52:27 2013 UTC (10 years, 4 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.38: +7 -1 lines
Diff to previous 1.38 (colored)
refuse RSA keys from old proprietary clients/servers that use the obsolete RSA+MD5 signature scheme. it will still be possible to connect with these clients/servers but only DSA keys will be accepted, and we'll deprecate them entirely in a future release. ok markus@
Revision 1.38 / (download) - annotate - [select for diffs], Fri Jun 21 00:34:49 2013 UTC (10 years, 10 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.37: +21 -7 lines
Diff to previous 1.37 (colored)
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
Revision 1.37 / (download) - annotate - [select for diffs], Sun May 19 02:38:28 2013 UTC (11 years ago) by djm
Branch: MAIN
Changes since 1.36: +31 -8 lines
Diff to previous 1.36 (colored)
fix failure to recognise cert-authority keys if a key of a different type appeared in authorized_keys before it; ok markus@
Revision 1.36 / (download) - annotate - [select for diffs], Fri May 17 00:13:13 2013 UTC (11 years ago) by djm
Branch: MAIN
Changes since 1.35: +12 -14 lines
Diff to previous 1.35 (colored)
bye, bye xfree(); ok markus@
Revision 1.35 / (download) - annotate - [select for diffs], Thu Mar 7 00:19:59 2013 UTC (11 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.34: +7 -3 lines
Diff to previous 1.34 (colored)
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
Revision 1.34 / (download) - annotate - [select for diffs], Thu Feb 14 21:35:59 2013 UTC (11 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.33: +3 -3 lines
Diff to previous 1.33 (colored)
Correct error message that had a typo and was logging the wrong thing; patch from Petr Lautrbach
Revision 1.33 / (download) - annotate - [select for diffs], Wed Nov 14 02:24:27 2012 UTC (11 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.32: +18 -14 lines
Diff to previous 1.32 (colored)
fix username passed to helper program prepare stdio fds before closefrom() spotted by landry@
Revision 1.32 / (download) - annotate - [select for diffs], Sun Nov 4 10:38:43 2012 UTC (11 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.31: +17 -13 lines
Diff to previous 1.31 (colored)
Remove default of AuthorizedCommandUser. Administrators are now expected to explicitly specify a user. feedback and ok markus@
Revision 1.31 / (download) - annotate - [select for diffs], Tue Oct 30 21:29:54 2012 UTC (11 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.30: +186 -20 lines
Diff to previous 1.30 (colored)
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option. patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
Revision 1.30 / (download) - annotate - [select for diffs], Sun Sep 25 05:44:47 2011 UTC (12 years, 7 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2,
OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.29: +4 -3 lines
Diff to previous 1.29 (colored)
improve the AuthorizedPrincipalsFile debug log message to include file and line number
Revision 1.29 / (download) - annotate - [select for diffs], Mon May 23 03:30:07 2011 UTC (12 years, 11 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.28: +8 -5 lines
Diff to previous 1.28 (colored)
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :) feedback and ok markus@ dtucker@
Revision 1.28 / (download) - annotate - [select for diffs], Wed May 11 04:47:06 2011 UTC (13 years ago) by djm
Branch: MAIN
Changes since 1.27: +1 -7 lines
Diff to previous 1.27 (colored)
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
Revision 1.27 / (download) - annotate - [select for diffs], Sat Nov 20 05:12:38 2010 UTC (13 years, 5 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)
clean up cases of ;;
Revision 1.26 / (download) - annotate - [select for diffs], Tue Jun 29 23:16:46 2010 UTC (13 years, 10 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.25: +27 -7 lines
Diff to previous 1.25 (colored)
allow key options (command="..." and friends) in AuthorizedPrincipals; ok markus@
Revision 1.25 / (download) - annotate - [select for diffs], Thu May 20 11:25:26 2010 UTC (14 years ago) by djm
Branch: MAIN
Changes since 1.24: +12 -6 lines
Diff to previous 1.24 (colored)
fix logspam when key options (from="..." especially) deny non-matching keys; reported by henning@ also bz#1765; ok markus@ dtucker@
Revision 1.24 / (download) - annotate - [select for diffs], Fri May 7 11:30:29 2010 UTC (14 years ago) by djm
Branch: MAIN
Changes since 1.23: +94 -8 lines
Diff to previous 1.23 (colored)
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@
Revision 1.23 / (download) - annotate - [select for diffs], Fri Apr 16 01:47:26 2010 UTC (14 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.22: +4 -5 lines
Diff to previous 1.22 (colored)
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
following changes:
move the nonce field to the beginning of the certificate where it can
better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation
(use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
Revision 1.22 / (download) - annotate - [select for diffs], Wed Mar 10 23:27:17 2010 UTC (14 years, 2 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.21: +17 -14 lines
Diff to previous 1.21 (colored)
correct certificate logging and make it more consistent between authorized_keys and TrustedCAKeys; ok markus@
Revision 1.21 / (download) - annotate - [select for diffs], Thu Mar 4 10:36:03 2010 UTC (14 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.20: +52 -1 lines
Diff to previous 1.20 (colored)
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys). Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication. feedback and ok markus@
Revision 1.20 / (download) - annotate - [select for diffs], Fri Feb 26 20:29:54 2010 UTC (14 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.19: +33 -4 lines
Diff to previous 1.19 (colored)
Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
Revision 1.19 / (download) - annotate - [select for diffs], Thu Jul 3 21:46:58 2008 UTC (15 years, 10 months ago) by otto
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6,
OPENBSD_4_5_BASE,
OPENBSD_4_5,
OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.18: +1 -2 lines
Diff to previous 1.18 (colored)
avoid nasty double free; ok dtucker@ djm@
Revision 1.18 / (download) - annotate - [select for diffs], Wed Jul 2 12:03:51 2008 UTC (15 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.17: +5 -33 lines
Diff to previous 1.17 (colored)
Merge duplicate host key file checks, based in part on a patch from Rob Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
Revision 1.17 / (download) - annotate - [select for diffs], Fri Jun 13 14:18:51 2008 UTC (15 years, 11 months ago) by dtucker
Branch: MAIN
Changes since 1.16: +2 -1 lines
Diff to previous 1.16 (colored)
Include unistd.h for close(), prevents warnings in -portable
Revision 1.16 / (download) - annotate - [select for diffs], Fri Jun 13 04:40:22 2008 UTC (15 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.15: +23 -9 lines
Diff to previous 1.15 (colored)
refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not regular files; report from Solar Designer via Colin Watson in bz#1471 ok dtucker@ deraadt@
Revision 1.9.4.1 / (download) - annotate - [select for diffs], Fri Oct 6 03:19:32 2006 UTC (17 years, 7 months ago) by brad
Branch: OPENBSD_3_8
Changes since 1.9: +14 -5 lines
Diff to previous 1.9 (colored) next main 1.10 (colored)
upgrade to OpenSSH 4.4
Revision 1.10.2.1 / (download) - annotate - [select for diffs], Sat Sep 30 04:06:50 2006 UTC (17 years, 7 months ago) by brad
Branch: OPENBSD_3_9
Changes since 1.10: +11 -5 lines
Diff to previous 1.10 (colored) next main 1.11 (colored)
upgrade to OpenSSH 4.4
Revision 1.15 / (download) - annotate - [select for diffs], Thu Aug 3 03:34:41 2006 UTC (17 years, 9 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3,
OPENBSD_4_2_BASE,
OPENBSD_4_2,
OPENBSD_4_1_BASE,
OPENBSD_4_1,
OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.14: +8 -5 lines
Diff to previous 1.14 (colored)
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
Revision 1.14 / (download) - annotate - [select for diffs], Tue Aug 1 23:22:47 2006 UTC (17 years, 9 months ago) by stevesk
Branch: MAIN
Changes since 1.13: +2 -1 lines
Diff to previous 1.13 (colored)
move #include <stdio.h> out of includes.h
Revision 1.13 / (download) - annotate - [select for diffs], Thu Jul 6 16:03:53 2006 UTC (17 years, 10 months ago) by stevesk
Branch: MAIN
Changes since 1.12: +3 -1 lines
Diff to previous 1.12 (colored)
move #include <pwd.h> out of includes.h; ok markus@
Revision 1.12 / (download) - annotate - [select for diffs], Sat Mar 25 13:17:01 2006 UTC (18 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.11: +1 -0 lines
Diff to previous 1.11 (colored)
Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that Theo nuked - our scripts to sync -portable need them in the files
Revision 1.11 / (download) - annotate - [select for diffs], Sun Mar 19 18:51:18 2006 UTC (18 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.10: +0 -1 lines
Diff to previous 1.10 (colored)
RCSID() can die
Revision 1.10 / (download) - annotate - [select for diffs], Mon Feb 20 17:19:54 2006 UTC (18 years, 2 months ago) by stevesk
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE
Branch point for: OPENBSD_3_9
Changes since 1.9: +4 -1 lines
Diff to previous 1.9 (colored)
move #include <sys/stat.h> out of includes.h; ok markus@
Revision 1.6.2.2 / (download) - annotate - [select for diffs], Thu Mar 10 17:15:04 2005 UTC (19 years, 2 months ago) by brad
Branch: OPENBSD_3_5
Changes since 1.6.2.1: +6 -4 lines
Diff to previous 1.6.2.1 (colored) to branchpoint 1.6 (colored) next main 1.7 (colored)
upgrade to OpenSSH 4.0
Revision 1.7.2.1 / (download) - annotate - [select for diffs], Thu Mar 10 16:28:27 2005 UTC (19 years, 2 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.7: +6 -4 lines
Diff to previous 1.7 (colored) next main 1.8 (colored)
upgrade to OpenSSH 4.0
Revision 1.9 / (download) - annotate - [select for diffs], Sat Dec 11 01:48:56 2004 UTC (19 years, 5 months ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_7_BASE,
OPENBSD_3_7
Branch point for: OPENBSD_3_8
Changes since 1.8: +2 -1 lines
Diff to previous 1.8 (colored)
Fix debug call in error path of authorized_keys processing and fix related warnings; ok djm@
Revision 1.8 / (download) - annotate - [select for diffs], Mon Dec 6 11:41:03 2004 UTC (19 years, 5 months ago) by dtucker
Branch: MAIN
Changes since 1.7: +5 -4 lines
Diff to previous 1.7 (colored)
Discard over-length authorized_keys entries rather than complaining when they don't decode. bz #884, with & ok djm@
Revision 1.4.2.2 / (download) - annotate - [select for diffs], Thu Aug 19 22:37:30 2004 UTC (19 years, 9 months ago) by brad
Branch: OPENBSD_3_4
Changes since 1.4.2.1: +4 -4 lines
Diff to previous 1.4.2.1 (colored) to branchpoint 1.4 (colored) next main 1.5 (colored)
upgrade to OpenSSH 3.9
Revision 1.6.2.1 / (download) - annotate - [select for diffs], Thu Aug 19 04:13:26 2004 UTC (19 years, 9 months ago) by brad
Branch: OPENBSD_3_5
Changes since 1.6: +4 -4 lines
Diff to previous 1.6 (colored)
upgrade to OpenSSH 3.9
Revision 1.7 / (download) - annotate - [select for diffs], Mon Jun 21 17:36:31 2004 UTC (19 years, 10 months ago) by avsm
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE
Branch point for: OPENBSD_3_6
Changes since 1.6: +4 -4 lines
Diff to previous 1.6 (colored)
make ssh -Wshadow clean, no functional changes markus@ ok
Revision 1.2.8.2 / (download) - annotate - [select for diffs], Thu Mar 4 18:18:15 2004 UTC (20 years, 2 months ago) by brad
Branch: OPENBSD_3_3
Changes since 1.2.8.1: +3 -6 lines
Diff to previous 1.2.8.1 (colored) to branchpoint 1.2 (colored) next main 1.3 (colored)
upgrade to OpenSSH 3.8upgrade to OpenSSH 3.8upgrade to OpenSSH 3.8
Revision 1.4.2.1 / (download) - annotate - [select for diffs], Sat Feb 28 03:51:32 2004 UTC (20 years, 2 months ago) by brad
Branch: OPENBSD_3_4
Changes since 1.4: +3 -6 lines
Diff to previous 1.4 (colored)
upgrade to OpenSSH 3.8
Revision 1.6 / (download) - annotate - [select for diffs], Mon Jan 19 21:25:15 2004 UTC (20 years, 4 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE
Branch point for: OPENBSD_3_5
Changes since 1.5: +3 -3 lines
Diff to previous 1.5 (colored)
fix mem leaks; some fixes from Pete Flugstad; tested dtucker@
Revision 1.5 / (download) - annotate - [select for diffs], Tue Nov 4 08:54:09 2003 UTC (20 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.4: +1 -4 lines
Diff to previous 1.4 (colored)
standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@
Revision 1.2.6.1 / (download) - annotate - [select for diffs], Tue Sep 16 21:20:24 2003 UTC (20 years, 8 months ago) by brad
Branch: OPENBSD_3_2
Changes since 1.2: +4 -4 lines
Diff to previous 1.2 (colored) next main 1.3 (colored)
upgrade to OpenSSH 3.7
Revision 1.2.8.1 / (download) - annotate - [select for diffs], Tue Sep 16 20:50:42 2003 UTC (20 years, 8 months ago) by brad
Branch: OPENBSD_3_3
Changes since 1.2: +4 -4 lines
Diff to previous 1.2 (colored)
upgrade to OpenSSH 3.7
Revision 1.4 / (download) - annotate - [select for diffs], Tue Jun 24 08:23:46 2003 UTC (20 years, 10 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE
Branch point for: OPENBSD_3_4
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored)
int -> u_int; ok djm@, deraadt@, mouring@
Revision 1.3 / (download) - annotate - [select for diffs], Tue Apr 8 20:21:28 2003 UTC (21 years, 1 month ago) by itojun
Branch: MAIN
Changes since 1.2: +3 -3 lines
Diff to previous 1.2 (colored)
rename log() into logit() to avoid name conflict. markus ok, from netbsd
Revision 1.2.4.1 / (download) - annotate - [select for diffs], Wed Jun 26 15:52:13 2002 UTC (21 years, 10 months ago) by jason
Branch: OPENBSD_3_1
Changes since 1.2: +1 -1 lines
Diff to previous 1.2 (colored) next main 1.3 (colored)
More missing files in 3.4 merge
Revision 1.2.2.1 / (download) - annotate - [select for diffs], Sat Jun 22 07:23:16 2002 UTC (21 years, 11 months ago) by miod
Branch: OPENBSD_3_0
Changes since 1.2: +1 -1 lines
Diff to previous 1.2 (colored) next main 1.3 (colored)
Update OpenSSH to version 3.3 (with local changes, configuration files still living in /etc and privsep user being nobody).
Revision 1.2 / (download) - annotate - [select for diffs], Fri May 31 11:35:15 2002 UTC (21 years, 11 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE,
OPENBSD_3_2_BASE
Branch point for: OPENBSD_3_3,
OPENBSD_3_2,
OPENBSD_3_1,
OPENBSD_3_0
Changes since 1.1: +8 -2 lines
Diff to previous 1.1 (colored)
move Authmethod definitons to per-method file.
Revision 1.1 / (download) - annotate - [select for diffs], Sat May 25 18:51:07 2002 UTC (21 years, 11 months ago) by markus
Branch: MAIN
split auth2.c into one file per method; ok provos@/deraadt@