![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / usr.bin / ssh
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.123 / (download) - annotate - [select for diffs], Fri May 17 00:30:23 2024 UTC (2 hours, 48 minutes ago) by djm
Branch: MAIN
CVS Tags: HEAD
Changes since 1.122: +7 -2 lines
Diff to previous 1.122 (colored)
Start the process of splitting sshd into separate binaries. This step splits sshd into a listener and a session binary. More splits are planned. After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs. This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary. feedback/ok markus@ deraadt@ NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out.
Revision 1.122 / (download) - annotate - [select for diffs], Fri Feb 2 00:13:34 2024 UTC (3 months, 1 week ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.121: +5 -5 lines
Diff to previous 1.121 (colored)
whitespace
Revision 1.118.4.1 / (download) - annotate - [select for diffs], Mon Dec 18 14:57:43 2023 UTC (4 months, 4 weeks ago) by bluhm
Branch: OPENBSD_7_3
Changes since 1.118: +2 -1 lines
Diff to previous 1.118 (colored) next main 1.119 (colored)
implement "strict key exchange" in ssh and sshd This adds a protocol extension to improve the integrity of the SSH transport protocol, particular in and around the initial key exchange (KEX) phase. Full details of the extension are in the PROTOCOL file. from djm@; with markus@ this is errata/7.3/024_ssh.patch.sig
Revision 1.119.2.1 / (download) - annotate - [select for diffs], Mon Dec 18 14:56:35 2023 UTC (4 months, 4 weeks ago) by bluhm
Branch: OPENBSD_7_4
Changes since 1.119: +2 -1 lines
Diff to previous 1.119 (colored) next main 1.120 (colored)
implement "strict key exchange" in ssh and sshd This adds a protocol extension to improve the integrity of the SSH transport protocol, particular in and around the initial key exchange (KEX) phase. Full details of the extension are in the PROTOCOL file. from djm@; with markus@ this is errata/7.4/011_ssh.patch.sig
Revision 1.121 / (download) - annotate - [select for diffs], Mon Dec 18 14:45:49 2023 UTC (4 months, 4 weeks ago) by djm
Branch: MAIN
Changes since 1.120: +6 -1 lines
Diff to previous 1.120 (colored)
add "ext-info-in-auth@openssh.com" extension This adds another transport protocol extension to allow a sshd to send SSH2_MSG_EXT_INFO during user authentication, after the server has learned the username that is being logged in to. This lets sshd to update the acceptable signature algoritms for public key authentication, and allows these to be varied via sshd_config(5) "Match" directives, which are evaluated after the server learns the username being authenticated. Full details in the PROTOCOL file
Revision 1.120 / (download) - annotate - [select for diffs], Mon Dec 18 14:45:17 2023 UTC (4 months, 4 weeks ago) by djm
Branch: MAIN
Changes since 1.119: +2 -1 lines
Diff to previous 1.119 (colored)
implement "strict key exchange" in ssh and sshd This adds a protocol extension to improve the integrity of the SSH transport protocol, particular in and around the initial key exchange (KEX) phase. Full details of the extension are in the PROTOCOL file. with markus@
Revision 1.119 / (download) - annotate - [select for diffs], Mon Aug 28 03:28:43 2023 UTC (8 months, 2 weeks ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE
Branch point for: OPENBSD_7_4
Changes since 1.118: +2 -1 lines
Diff to previous 1.118 (colored)
Introduce a transport-level ping facility This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0". ok markus@
Revision 1.118 / (download) - annotate - [select for diffs], Mon Mar 6 12:14:48 2023 UTC (14 months, 1 week ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE
Branch point for: OPENBSD_7_3
Changes since 1.117: +4 -1 lines
Diff to previous 1.117 (colored)
Refactor creation of KEX proposal. This adds kex_proposal_populate_entries (and corresponding free) which populates the KEX proposal array with dynamically allocated strings. This replaces the previous mix of static and dynamic that has been the source of previous leaks and bugs. Remove unused compat functions. With & ok djm@.
Revision 1.117 / (download) - annotate - [select for diffs], Thu Jan 6 21:55:23 2022 UTC (2 years, 4 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.116: +3 -1 lines
Diff to previous 1.116 (colored)
Fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375 Mostly by Dmitry Belyavskiy with some tweaks by me. ok markus@
Revision 1.116 / (download) - annotate - [select for diffs], Sun Dec 19 22:12:54 2021 UTC (2 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.115: +5 -3 lines
Diff to previous 1.115 (colored)
client side of host-bound pubkey authentication Add kex->flags member to enable the publickey-hostbound-v00@openssh.com authentication method. Use the new hostbound method in client if the kex->flags flag was set, and include the inital KEX hostkey in the userauth request. Note: nothing in kex.c actually sets the new flag yet ok markus@
Revision 1.115 / (download) - annotate - [select for diffs], Sun Dec 19 22:08:06 2021 UTC (2 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.114: +4 -1 lines
Diff to previous 1.114 (colored)
Record session ID, host key and sig at intital KEX These will be used later for agent session ID / hostkey binding ok markus@
Revision 1.114 / (download) - annotate - [select for diffs], Sun Jan 31 22:55:29 2021 UTC (3 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.113: +2 -1 lines
Diff to previous 1.113 (colored)
more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078). ok markus@
Revision 1.113 / (download) - annotate - [select for diffs], Wed Jan 27 10:05:28 2021 UTC (3 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.112: +2 -3 lines
Diff to previous 1.112 (colored)
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
Revision 1.112 / (download) - annotate - [select for diffs], Tue Dec 29 00:59:15 2020 UTC (3 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.111: +7 -7 lines
Diff to previous 1.111 (colored)
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519). The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761. The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html). Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself (note this both the updated method and the one that it replaced are disabled by default)
Revision 1.111 / (download) - annotate - [select for diffs], Wed Oct 7 02:22:23 2020 UTC (3 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.110: +3 -5 lines
Diff to previous 1.110 (colored)
revert kex->flags cert hostkey downgrade back to a plain key (commitid VtF8vozGOF8DMKVg). We now do this a simpler way that needs less plumbing. ok markus@
Revision 1.110 / (download) - annotate - [select for diffs], Sat Oct 3 08:11:28 2020 UTC (3 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.109: +5 -3 lines
Diff to previous 1.109 (colored)
record when the host key checking code downgrades a certificate host key to a plain key. This occurs when the user connects to a host with a certificate host key but no corresponding CA key configured in known_hosts; feedback and ok markus@
Revision 1.109 / (download) - annotate - [select for diffs], Fri Sep 6 05:23:55 2019 UTC (4 years, 8 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7,
OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.108: +13 -1 lines
Diff to previous 1.108 (colored)
fixes for !WITH_OPENSSL compilation; ok dtucker@
Revision 1.108 / (download) - annotate - [select for diffs], Fri Sep 6 03:30:42 2019 UTC (4 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.107: +1 -5 lines
Diff to previous 1.107 (colored)
remove leakmalloc reference; we used this early when refactoring but not since
Revision 1.107 / (download) - annotate - [select for diffs], Wed Jan 23 00:30:41 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.106: +2 -2 lines
Diff to previous 1.106 (colored)
pass most arguments to the KEX hash functions as sshbuf rather than pointer+length; ok markus@
Revision 1.106 / (download) - annotate - [select for diffs], Mon Jan 21 10:40:11 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.105: +2 -2 lines
Diff to previous 1.105 (colored)
rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen from markus@ ok djm@
Revision 1.105 / (download) - annotate - [select for diffs], Mon Jan 21 10:38:54 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.104: +3 -14 lines
Diff to previous 1.104 (colored)
merge kexkem[cs] into kexgen from markus@ ok djm@
Revision 1.104 / (download) - annotate - [select for diffs], Mon Jan 21 10:35:09 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.103: +11 -11 lines
Diff to previous 1.103 (colored)
pass values used in KEX hash computation as sshbuf rather than pointer+len suggested by me; implemented by markus@ ok me
Revision 1.103 / (download) - annotate - [select for diffs], Mon Jan 21 10:33:49 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.102: +1 -2 lines
Diff to previous 1.102 (colored)
remove kex_derive_keys_bn wrapper; no unused since the DH-like KEX methods have moved to KEM from markus@ ok djm@
Revision 1.102 / (download) - annotate - [select for diffs], Mon Jan 21 10:29:56 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.101: +6 -6 lines
Diff to previous 1.101 (colored)
use KEM API for vanilla ECDH from markus@ ok djm@
Revision 1.101 / (download) - annotate - [select for diffs], Mon Jan 21 10:28:01 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.100: +6 -4 lines
Diff to previous 1.100 (colored)
use KEM API for vanilla DH KEX from markus@ ok djm@
Revision 1.100 / (download) - annotate - [select for diffs], Mon Jan 21 10:24:09 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.99: +6 -1 lines
Diff to previous 1.99 (colored)
use KEM API for vanilla c25519 KEX
Revision 1.99 / (download) - annotate - [select for diffs], Mon Jan 21 10:20:12 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.98: +21 -4 lines
Diff to previous 1.98 (colored)
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default. introduce KEM API; a simplified framework for DH-ish KEX methods. from markus@ feedback & ok djm@
Revision 1.98 / (download) - annotate - [select for diffs], Mon Jan 21 10:07:22 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.97: +2 -1 lines
Diff to previous 1.97 (colored)
factor out kex_verify_hostkey() - again, duplicated almost exactly across client and server for several KEX methods. from markus@ ok djm@
Revision 1.97 / (download) - annotate - [select for diffs], Mon Jan 21 10:05:09 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.96: +2 -1 lines
Diff to previous 1.96 (colored)
factor out kex_load_hostkey() - this is duplicated in both the client and server implementations for most KEX methods. from markus@ ok djm@
Revision 1.96 / (download) - annotate - [select for diffs], Mon Jan 21 10:03:37 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.95: +4 -3 lines
Diff to previous 1.95 (colored)
factor out kex_dh_compute_key() - it's shared between plain DH KEX and DH GEX in both the client and server implementations from markus@ ok djm@
Revision 1.95 / (download) - annotate - [select for diffs], Mon Jan 21 10:00:23 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.94: +2 -1 lines
Diff to previous 1.94 (colored)
factor out DH keygen; it's identical between the client and the server from markus@ ok djm@
Revision 1.94 / (download) - annotate - [select for diffs], Sat Jan 19 21:43:56 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.93: +3 -3 lines
Diff to previous 1.93 (colored)
remove last references to active_state with & ok markus@
Revision 1.93 / (download) - annotate - [select for diffs], Thu Dec 27 03:25:25 2018 UTC (5 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.92: +12 -8 lines
Diff to previous 1.92 (colored)
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server. Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn). Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
Revision 1.92 / (download) - annotate - [select for diffs], Fri Dec 7 03:39:40 2018 UTC (5 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.91: +2 -1 lines
Diff to previous 1.91 (colored)
only consider the ext-info-c extension during the initial KEX. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
Revision 1.91 / (download) - annotate - [select for diffs], Wed Jul 11 18:53:29 2018 UTC (5 years, 10 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.90: +1 -2 lines
Diff to previous 1.90 (colored)
remove legacy key emulation layer; ok djm@
Revision 1.90 / (download) - annotate - [select for diffs], Tue Jul 10 09:36:58 2018 UTC (5 years, 10 months ago) by sf
Branch: MAIN
Changes since 1.89: +2 -1 lines
Diff to previous 1.89 (colored)
re-remove some pre-auth compression bits This time, make sure to not remove things that are necessary for pre-auth compression on the client. Add a comment that pre-auth compression is still supported in the client. ok markus@
Revision 1.89 / (download) - annotate - [select for diffs], Mon Jul 9 21:56:06 2018 UTC (5 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.88: +1 -2 lines
Diff to previous 1.88 (colored)
remove legacy buffer API emulation layer; ok djm@
Revision 1.88 / (download) - annotate - [select for diffs], Mon Jul 9 13:37:10 2018 UTC (5 years, 10 months ago) by sf
Branch: MAIN
Changes since 1.87: +2 -1 lines
Diff to previous 1.87 (colored)
Revert previous two commits It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits: date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB Only delayed compression is supported nowadays. ok markus@ date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit. ok markus@
Revision 1.87 / (download) - annotate - [select for diffs], Fri Jul 6 09:06:14 2018 UTC (5 years, 10 months ago) by sf
Branch: MAIN
Changes since 1.86: +2 -2 lines
Diff to previous 1.86 (colored)
Rename COMP_DELAYED to COMP_ZLIB Only delayed compression is supported nowadays. ok markus@
Revision 1.86 / (download) - annotate - [select for diffs], Fri Jul 6 09:05:01 2018 UTC (5 years, 10 months ago) by sf
Branch: MAIN
Changes since 1.85: +2 -3 lines
Diff to previous 1.85 (colored)
Remove leftovers from pre-authentication compression Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit. ok markus@
Revision 1.85 / (download) - annotate - [select for diffs], Wed Jul 4 13:49:31 2018 UTC (5 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.84: +2 -2 lines
Diff to previous 1.84 (colored)
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard. Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected. Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation. (lots of) feedback, ok markus@
Revision 1.84 / (download) - annotate - [select for diffs], Tue Jul 3 11:39:54 2018 UTC (5 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.83: +2 -2 lines
Diff to previous 1.83 (colored)
Improve strictness and control over RSA-SHA2 signature types: In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@
Revision 1.83 / (download) - annotate - [select for diffs], Tue May 30 14:23:52 2017 UTC (6 years, 11 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3,
OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.82: +3 -3 lines
Diff to previous 1.82 (colored)
protocol handlers all get struct ssh passed; ok djm@
Revision 1.82 / (download) - annotate - [select for diffs], Wed May 3 21:08:09 2017 UTC (7 years ago) by naddy
Branch: MAIN
Changes since 1.81: +1 -4 lines
Diff to previous 1.81 (colored)
remove miscellaneous SSH1 leftovers; ok markus@
Revision 1.81 / (download) - annotate - [select for diffs], Wed Sep 28 21:44:52 2016 UTC (7 years, 7 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.80: +3 -2 lines
Diff to previous 1.80 (colored)
put back some pre-auth zlib bits that I shouldn't have removed - they are still used by the client. Spotted by naddy@
Revision 1.80 / (download) - annotate - [select for diffs], Wed Sep 28 20:32:42 2016 UTC (7 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.79: +2 -3 lines
Diff to previous 1.79 (colored)
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only. remove a few server-side pre-auth compression bits that escaped adjust wording of Compression directive in sshd_config(5) pointed out by naddy@ ok markus@
Revision 1.79 / (download) - annotate - [select for diffs], Thu Sep 22 21:15:41 2016 UTC (7 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.78: +13 -12 lines
Diff to previous 1.78 (colored)
missing bit from previous commit
Revision 1.78 / (download) - annotate - [select for diffs], Mon May 2 10:26:04 2016 UTC (8 years ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.77: +9 -3 lines
Diff to previous 1.77 (colored)
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03 diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group) based on patch from Mark D. Baushke and Darren Tucker ok markus@
Revision 1.77 / (download) - annotate - [select for diffs], Mon May 2 08:49:03 2016 UTC (8 years ago) by djm
Branch: MAIN
Changes since 1.76: +4 -3 lines
Diff to previous 1.76 (colored)
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
Revision 1.76 / (download) - annotate - [select for diffs], Mon Feb 8 10:57:07 2016 UTC (8 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.75: +2 -1 lines
Diff to previous 1.75 (colored)
refactor activation of rekeying This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves. Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
Revision 1.75 / (download) - annotate - [select for diffs], Thu Jan 14 16:17:39 2016 UTC (8 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.74: +1 -3 lines
Diff to previous 1.74 (colored)
remove roaming support; ok djm@
Revision 1.74 / (download) - annotate - [select for diffs], Fri Dec 4 16:41:28 2015 UTC (8 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.73: +7 -3 lines
Diff to previous 1.73 (colored)
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)
based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt;
with & ok djm@
Revision 1.73 / (download) - annotate - [select for diffs], Thu Jul 30 00:01:34 2015 UTC (8 years, 9 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.72: +3 -1 lines
Diff to previous 1.72 (colored)
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it. approach suggested by dtucker@, feedback dlg@, ok markus@
Revision 1.72 / (download) - annotate - [select for diffs], Wed Jul 29 04:43:06 2015 UTC (8 years, 9 months ago) by djm
Branch: MAIN
Changes since 1.71: +2 -1 lines
Diff to previous 1.71 (colored)
include the peer's offer when logging a failure to negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
Revision 1.71 / (download) - annotate - [select for diffs], Mon Feb 16 22:13:32 2015 UTC (9 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.70: +3 -3 lines
Diff to previous 1.70 (colored)
Revise hostkeys@openssh.com hostkey learning extension. The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client. Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered. ok markus@
Revision 1.70 / (download) - annotate - [select for diffs], Mon Jan 26 06:10:03 2015 UTC (9 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.69: +4 -3 lines
Diff to previous 1.69 (colored)
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration). ok markus, "looks mechanical" deraadt@
Revision 1.69 / (download) - annotate - [select for diffs], Mon Jan 19 20:16:15 2015 UTC (9 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.68: +71 -52 lines
Diff to previous 1.68 (colored)
adapt kex to sshbuf and struct ssh; ok djm@
Revision 1.68 / (download) - annotate - [select for diffs], Mon Jan 19 20:07:45 2015 UTC (9 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.67: +2 -2 lines
Diff to previous 1.67 (colored)
move dispatch to struct ssh; ok djm@
Revision 1.67 / (download) - annotate - [select for diffs], Mon Jan 19 19:52:16 2015 UTC (9 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.66: +19 -20 lines
Diff to previous 1.66 (colored)
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
Revision 1.66 / (download) - annotate - [select for diffs], Thu Jan 15 09:40:00 2015 UTC (9 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.65: +3 -1 lines
Diff to previous 1.65 (colored)
sync ssh-keysign, ssh-keygen and some dependencies to the new buffer/key API; mostly mechanical, ok markus@
Revision 1.65 / (download) - annotate - [select for diffs], Tue Jan 13 19:31:40 2015 UTC (9 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.64: +3 -16 lines
Diff to previous 1.64 (colored)
adapt mac.c to ssherr.h return codes (de-fatal) and simplify dependencies ok djm@
Revision 1.64 / (download) - annotate - [select for diffs], Fri May 2 03:27:54 2014 UTC (10 years ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.63: +4 -4 lines
Diff to previous 1.63 (colored)
revert __bounded change; it causes way more problems for portable than it solves; pointed out by dtucker@
Revision 1.63 / (download) - annotate - [select for diffs], Wed Mar 26 04:55:35 2014 UTC (10 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.62: +5 -5 lines
Diff to previous 1.62 (colored)
use __bounded(...) attribute recently added to sys/cdefs.h instead of longform __attribute__(__bounded(...)); for brevity and a warning free compilation with llvm/clan
Revision 1.62 / (download) - annotate - [select for diffs], Mon Jan 27 18:58:14 2014 UTC (10 years, 3 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.61: +3 -4 lines
Diff to previous 1.61 (colored)
replace openssl HMAC with an implementation based on our ssh_digest_* ok and feedback djm@
Revision 1.61 / (download) - annotate - [select for diffs], Sat Jan 25 10:12:50 2014 UTC (10 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.60: +2 -1 lines
Diff to previous 1.60 (colored)
Add a special case for the DH group size for 3des-cbc, which has an effective strength much lower than the key size. This causes problems with some cryptlib implementations, which don't support group sizes larger than 4k but also don't use the largest group size it does support as specified in the RFC. Based on a patch from Petr Lautrbach at Redhat, reduced by me with input from Markus. ok djm@ markus@
Revision 1.60 / (download) - annotate - [select for diffs], Sun Jan 12 08:13:13 2014 UTC (10 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.59: +6 -5 lines
Diff to previous 1.59 (colored)
avoid use of OpenSSL BIGNUM type and functions for KEX with Curve25519 by adding a buffer_put_bignum2_from_string() that stores a string using the bignum encoding rules. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in the future; ok markus@
Revision 1.59 / (download) - annotate - [select for diffs], Thu Jan 9 23:20:00 2014 UTC (10 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.58: +5 -5 lines
Diff to previous 1.58 (colored)
Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
Revision 1.58 / (download) - annotate - [select for diffs], Thu Nov 7 11:58:27 2013 UTC (10 years, 6 months ago) by dtucker
Branch: MAIN
Changes since 1.57: +2 -2 lines
Diff to previous 1.57 (colored)
Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
Revision 1.57 / (download) - annotate - [select for diffs], Sat Nov 2 21:59:15 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.56: +18 -1 lines
Diff to previous 1.56 (colored)
use curve25519 for default key exchange (curve25519-sha256@libssh.org); initial patch from Aris Adamantiadis; ok djm@
Revision 1.56 / (download) - annotate - [select for diffs], Fri Jul 19 07:37:48 2013 UTC (10 years, 10 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.55: +2 -1 lines
Diff to previous 1.55 (colored)
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
Revision 1.55 / (download) - annotate - [select for diffs], Fri Apr 19 01:06:50 2013 UTC (11 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.54: +7 -7 lines
Diff to previous 1.54 (colored)
add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
Revision 1.54 / (download) - annotate - [select for diffs], Tue Jan 8 18:49:04 2013 UTC (11 years, 4 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.53: +2 -1 lines
Diff to previous 1.53 (colored)
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
Revision 1.53 / (download) - annotate - [select for diffs], Tue Dec 11 22:31:18 2012 UTC (11 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.52: +2 -1 lines
Diff to previous 1.52 (colored)
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
Revision 1.52 / (download) - annotate - [select for diffs], Wed Sep 22 05:01:29 2010 UTC (13 years, 7 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2,
OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0,
OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.51: +3 -1 lines
Diff to previous 1.51 (colored)
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference. ok markus@
Revision 1.51 / (download) - annotate - [select for diffs], Thu Sep 9 10:45:45 2010 UTC (13 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.50: +3 -2 lines
Diff to previous 1.50 (colored)
ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases. This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client. ok naddy@
Revision 1.50 / (download) - annotate - [select for diffs], Tue Aug 31 11:54:45 2010 UTC (13 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.49: +14 -2 lines
Diff to previous 1.49 (colored)
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
Revision 1.49 / (download) - annotate - [select for diffs], Fri Feb 26 20:29:54 2010 UTC (14 years, 2 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8,
OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.48: +3 -2 lines
Diff to previous 1.48 (colored)
Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
Revision 1.48 / (download) - annotate - [select for diffs], Sat Oct 24 11:13:54 2009 UTC (14 years, 6 months ago) by andreas
Branch: MAIN
Changes since 1.47: +3 -1 lines
Diff to previous 1.47 (colored)
Let the client detect if the server supports roaming by looking for the resume@appgate.com kex algorithm. ok markus@
Revision 1.47 / (download) - annotate - [select for diffs], Wed May 27 06:34:36 2009 UTC (14 years, 11 months ago) by andreas
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.46: +3 -1 lines
Diff to previous 1.46 (colored)
Move the KEX_COOKIE_LEN define to kex.h ok markus@
Revision 1.46 / (download) - annotate - [select for diffs], Thu Jun 7 19:37:34 2007 UTC (16 years, 11 months ago) by pvalchev
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5,
OPENBSD_4_4_BASE,
OPENBSD_4_4,
OPENBSD_4_3_BASE,
OPENBSD_4_3,
OPENBSD_4_2_BASE,
OPENBSD_4_2
Changes since 1.45: +5 -3 lines
Diff to previous 1.45 (colored)
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt in conjunction with and OK djm@
Revision 1.45 / (download) - annotate - [select for diffs], Tue Jun 5 06:52:37 2007 UTC (16 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.44: +3 -1 lines
Diff to previous 1.44 (colored)
Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5 patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)
Revision 1.37.2.2 / (download) - annotate - [select for diffs], Fri Oct 6 03:19:32 2006 UTC (17 years, 7 months ago) by brad
Branch: OPENBSD_3_8
Changes since 1.37.2.1: +5 -6 lines
Diff to previous 1.37.2.1 (colored) to branchpoint 1.37 (colored) next main 1.38 (colored)
upgrade to OpenSSH 4.4
Revision 1.38.2.1 / (download) - annotate - [select for diffs], Sat Sep 30 04:06:50 2006 UTC (17 years, 7 months ago) by brad
Branch: OPENBSD_3_9
Changes since 1.38: +5 -6 lines
Diff to previous 1.38 (colored) next main 1.39 (colored)
upgrade to OpenSSH 4.4
Revision 1.44 / (download) - annotate - [select for diffs], Thu Aug 3 03:34:42 2006 UTC (17 years, 9 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1,
OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.43: +1 -7 lines
Diff to previous 1.43 (colored)
almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step
Revision 1.43 / (download) - annotate - [select for diffs], Sun Jul 23 01:11:05 2006 UTC (17 years, 9 months ago) by stevesk
Branch: MAIN
Changes since 1.42: +4 -1 lines
Diff to previous 1.42 (colored)
#include <signal.h> for sig_atomic_t; need this prior to <sys/param.h> move
Revision 1.42 / (download) - annotate - [select for diffs], Thu Apr 20 09:27:09 2006 UTC (18 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.41: +2 -2 lines
Diff to previous 1.41 (colored)
replace the last non-sig_atomic_t flag used in a signal handler with a sig_atomic_t, unfortunately with some knock-on effects in other (non- signal) contexts in which it is used; ok markus@
Revision 1.41 / (download) - annotate - [select for diffs], Sat Mar 25 22:22:43 2006 UTC (18 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.40: +1 -1 lines
Diff to previous 1.40 (colored)
standardise spacing in $OpenBSD$ tags; requested by deraadt@
Revision 1.40 / (download) - annotate - [select for diffs], Sun Mar 19 18:53:12 2006 UTC (18 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.39: +2 -2 lines
Diff to previous 1.39 (colored)
spacing
Revision 1.39 / (download) - annotate - [select for diffs], Tue Mar 7 09:07:40 2006 UTC (18 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.38: +3 -1 lines
Diff to previous 1.38 (colored)
Implement the diffie-hellman-group-exchange-sha256 key exchange method using the SHA256 code in libc (and wrapper to make it into an OpenSSL EVP), interop tested against CVS PuTTY
Revision 1.37.2.1 / (download) - annotate - [select for diffs], Fri Feb 3 03:01:56 2006 UTC (18 years, 3 months ago) by brad
Branch: OPENBSD_3_8
Changes since 1.37: +12 -10 lines
Diff to previous 1.37 (colored)
upgrade to OpenSSH 4.3
Revision 1.35.4.2 / (download) - annotate - [select for diffs], Fri Feb 3 02:53:44 2006 UTC (18 years, 3 months ago) by brad
Branch: OPENBSD_3_7
Changes since 1.35.4.1: +12 -10 lines
Diff to previous 1.35.4.1 (colored) to branchpoint 1.35 (colored) next main 1.36 (colored)
upgrade to OpenSSH 4.3
Revision 1.38 / (download) - annotate - [select for diffs], Fri Nov 4 05:15:59 2005 UTC (18 years, 6 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE
Branch point for: OPENBSD_3_9
Changes since 1.37: +12 -10 lines
Diff to previous 1.37 (colored)
remove hardcoded hash lengths in key exchange code, allowing implementation of KEX methods with different hashes (e.g. SHA-256); ok markus@ dtucker@ stevesk@
Revision 1.35.4.1 / (download) - annotate - [select for diffs], Sun Sep 4 18:40:02 2005 UTC (18 years, 8 months ago) by brad
Branch: OPENBSD_3_7
Changes since 1.35: +8 -4 lines
Diff to previous 1.35 (colored)
upgrade to OpenSSH 4.2
Revision 1.35.2.1 / (download) - annotate - [select for diffs], Fri Sep 2 03:45:00 2005 UTC (18 years, 8 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.35: +8 -4 lines
Diff to previous 1.35 (colored) next main 1.36 (colored)
upgrade to OpenSSH 4.2
Revision 1.37 / (download) - annotate - [select for diffs], Mon Jul 25 11:59:39 2005 UTC (18 years, 9 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE
Branch point for: OPENBSD_3_8
Changes since 1.36: +5 -1 lines
Diff to previous 1.36 (colored)
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd. this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
Revision 1.36 / (download) - annotate - [select for diffs], Fri Jun 17 02:44:32 2005 UTC (18 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.35: +4 -4 lines
Diff to previous 1.35 (colored)
make this -Wsign-compare clean; ok avsm@ markus@
Revision 1.33.4.1 / (download) - annotate - [select for diffs], Thu Aug 19 22:37:31 2004 UTC (19 years, 9 months ago) by brad
Branch: OPENBSD_3_4
Changes since 1.33: +6 -1 lines
Diff to previous 1.33 (colored) next main 1.34 (colored)
upgrade to OpenSSH 3.9
Revision 1.33.6.1 / (download) - annotate - [select for diffs], Thu Aug 19 04:13:26 2004 UTC (19 years, 9 months ago) by brad
Branch: OPENBSD_3_5
Changes since 1.33: +6 -1 lines
Diff to previous 1.33 (colored) next main 1.34 (colored)
upgrade to OpenSSH 3.9
Revision 1.35 / (download) - annotate - [select for diffs], Sun Jun 13 12:53:24 2004 UTC (19 years, 11 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE,
OPENBSD_3_6_BASE
Branch point for: OPENBSD_3_7,
OPENBSD_3_6
Changes since 1.34: +3 -1 lines
Diff to previous 1.34 (colored)
implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@
Revision 1.34 / (download) - annotate - [select for diffs], Fri May 21 08:43:03 2004 UTC (20 years ago) by markus
Branch: MAIN
Changes since 1.33: +4 -1 lines
Diff to previous 1.33 (colored)
add prototypes for -Wall; ok djm
Revision 1.32.2.2 / (download) - annotate - [select for diffs], Tue Sep 16 21:20:25 2003 UTC (20 years, 8 months ago) by brad
Branch: OPENBSD_3_2
Changes since 1.32.2.1: +0 -0 lines
Diff to previous 1.32.2.1 (colored) to branchpoint 1.32 (colored) next main 1.33 (colored)
upgrade to OpenSSH 3.7
Revision 1.30.2.3 / (download) - annotate - [select for diffs], Thu Apr 3 22:35:17 2003 UTC (21 years, 1 month ago) by miod
Branch: OPENBSD_3_1
Changes since 1.30.2.2: +17 -6 lines
Diff to previous 1.30.2.2 (colored) to branchpoint 1.30 (colored) next main 1.31 (colored)
Merge OpenSSH 3.6.1
Revision 1.32.2.1 / (download) - annotate - [select for diffs], Tue Apr 1 00:12:13 2003 UTC (21 years, 1 month ago) by margarida
Branch: OPENBSD_3_2
Changes since 1.32: +17 -6 lines
Diff to previous 1.32 (colored)
Update to OpenSSH 3.6
Revision 1.33 / (download) - annotate - [select for diffs], Sun Feb 16 17:09:57 2003 UTC (21 years, 3 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE,
OPENBSD_3_4_BASE,
OPENBSD_3_3_BASE,
OPENBSD_3_3
Branch point for: OPENBSD_3_5,
OPENBSD_3_4
Changes since 1.32: +17 -6 lines
Diff to previous 1.32 (colored)
split kex into client and server code, no need to link server code into the client; ok provos@
Revision 1.26.2.4 / (download) - annotate - [select for diffs], Fri Oct 11 14:53:06 2002 UTC (21 years, 7 months ago) by miod
Branch: OPENBSD_3_0
Changes since 1.26.2.3: +2 -2 lines
Diff to previous 1.26.2.3 (colored) to branchpoint 1.26 (colored) next main 1.27 (colored)
Update to OpenSSH 3.5
Revision 1.30.2.2 / (download) - annotate - [select for diffs], Fri Oct 11 14:51:52 2002 UTC (21 years, 7 months ago) by miod
Branch: OPENBSD_3_1
Changes since 1.30.2.1: +2 -2 lines
Diff to previous 1.30.2.1 (colored) to branchpoint 1.30 (colored)
Update to OpenSSH 3.5
Revision 1.32 / (download) - annotate - [select for diffs], Mon Sep 9 14:54:14 2002 UTC (21 years, 8 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_2_BASE
Branch point for: OPENBSD_3_2
Changes since 1.31: +2 -2 lines
Diff to previous 1.31 (colored)
signed vs unsigned from -pedantic; ok henning@
Revision 1.30.2.1 / (download) - annotate - [select for diffs], Wed Jun 26 15:30:38 2002 UTC (21 years, 10 months ago) by jason
Branch: OPENBSD_3_1
Changes since 1.30: +2 -2 lines
Diff to previous 1.30 (colored)
Pull in OpenSSH-3.4
Revision 1.26.2.3 / (download) - annotate - [select for diffs], Sat Jun 22 07:23:17 2002 UTC (21 years, 11 months ago) by miod
Branch: OPENBSD_3_0
Changes since 1.26.2.2: +2 -2 lines
Diff to previous 1.26.2.2 (colored) to branchpoint 1.26 (colored)
Update OpenSSH to version 3.3 (with local changes, configuration files still living in /etc and privsep user being nobody).
Revision 1.22.2.3 / (download) - annotate - [select for diffs], Sun Jun 2 22:56:10 2002 UTC (21 years, 11 months ago) by miod
Branch: OPENBSD_2_9
Changes since 1.22.2.2: +2 -1 lines
Diff to previous 1.22.2.2 (colored) to branchpoint 1.22 (colored) next main 1.23 (colored)
Upgrade to OpenSSH 3.2.3. Except for improbable compilation error fixes, this should be the last commit made to the 2.9-STABLE branche. Have fun upgrading.
Revision 1.26.2.2 / (download) - annotate - [select for diffs], Fri May 17 00:03:23 2002 UTC (22 years ago) by miod
Branch: OPENBSD_3_0
Changes since 1.26.2.1: +2 -1 lines
Diff to previous 1.26.2.1 (colored) to branchpoint 1.26 (colored)
Update OpenSSH to version 3.2.2.
Revision 1.31 / (download) - annotate - [select for diffs], Thu May 16 22:02:50 2002 UTC (22 years ago) by markus
Branch: MAIN
Changes since 1.30: +2 -2 lines
Diff to previous 1.30 (colored)
fix warnings (openssl 0.9.7 requires const)
Revision 1.30 / (download) - annotate - [select for diffs], Mon Mar 18 17:50:31 2002 UTC (22 years, 2 months ago) by provos
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE
Branch point for: OPENBSD_3_1
Changes since 1.29: +2 -1 lines
Diff to previous 1.29 (colored)
integrate privilege separated openssh; its turned off by default for now. work done by me and markus@
Revision 1.22.2.2 / (download) - annotate - [select for diffs], Sat Mar 9 00:20:44 2002 UTC (22 years, 2 months ago) by miod
Branch: OPENBSD_2_9
Changes since 1.22.2.1: +4 -2 lines
Diff to previous 1.22.2.1 (colored) to branchpoint 1.22 (colored)
Merge OpenSSH 3.1, keeping /etc as configuration files directory. (i.e. OpenSSH 3.1 + openbsd29_3.1.patch)
Revision 1.7.2.6 / (download) - annotate - [select for diffs], Fri Mar 8 17:04:42 2002 UTC (22 years, 2 months ago) by brad
Branch: OPENBSD_2_8
Changes since 1.7.2.5: +4 -2 lines
Diff to previous 1.7.2.5 (colored) to branchpoint 1.7 (colored) next main 1.8 (colored)
Merge OpenSSH 3.1.
Revision 1.26.2.1 / (download) - annotate - [select for diffs], Thu Mar 7 17:37:46 2002 UTC (22 years, 2 months ago) by jason
Branch: OPENBSD_3_0
Changes since 1.26: +4 -2 lines
Diff to previous 1.26 (colored)
Update to OpenSSH-3.1 on 3.0-stable branch
Revision 1.29 / (download) - annotate - [select for diffs], Thu Feb 14 23:41:01 2002 UTC (22 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.28: +3 -1 lines
Diff to previous 1.28 (colored)
hide some more implementation details of cipher.[ch] and prepares for move to EVP, ok deraadt@
Revision 1.28 / (download) - annotate - [select for diffs], Fri Dec 28 15:06:00 2001 UTC (22 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.27: +2 -2 lines
Diff to previous 1.27 (colored)
remove plen from the dispatch fn. it's no longer used.
Revision 1.27 / (download) - annotate - [select for diffs], Thu Dec 20 22:50:24 2001 UTC (22 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)
Conformance fix: we should send failing packet sequence number when responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by yakk@yakk.dot.net; ok markus@
Revision 1.22.2.1 / (download) - annotate - [select for diffs], Thu Sep 27 19:03:54 2001 UTC (22 years, 7 months ago) by jason
Branch: OPENBSD_2_9
Changes since 1.22: +13 -13 lines
Diff to previous 1.22 (colored)
Pull in OpenSSH-2.9.9
Revision 1.7.2.5 / (download) - annotate - [select for diffs], Thu Sep 27 00:15:42 2001 UTC (22 years, 7 months ago) by miod
Branch: OPENBSD_2_8
Changes since 1.7.2.4: +13 -13 lines
Diff to previous 1.7.2.4 (colored) to branchpoint 1.7 (colored)
Pull in OpenSSH 2.9.9 to the 2.8 branch.
Revision 1.26 / (download) - annotate - [select for diffs], Tue Jun 26 17:27:23 2001 UTC (22 years, 10 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_0_BASE
Branch point for: OPENBSD_3_0
Changes since 1.25: +7 -7 lines
Diff to previous 1.25 (colored)
remove comments from .h, since they are cut&paste from the .c files and out of sync
Revision 1.25 / (download) - annotate - [select for diffs], Tue Jun 26 06:32:53 2001 UTC (22 years, 10 months ago) by itojun
Branch: MAIN
Changes since 1.24: +10 -10 lines
Diff to previous 1.24 (colored)
prototype pedant. not very creative... - () -> (void) - no variable names
Revision 1.24 / (download) - annotate - [select for diffs], Mon Jun 25 08:25:37 2001 UTC (22 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)
update copyright for 2001
Revision 1.23 / (download) - annotate - [select for diffs], Sat Jun 23 02:34:28 2001 UTC (22 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.22: +2 -2 lines
Diff to previous 1.22 (colored)
get rid of known_hosts2, use it for hostkey lookup, but do not modify.
Revision 1.7.2.4 / (download) - annotate - [select for diffs], Mon May 7 21:09:30 2001 UTC (23 years ago) by jason
Branch: OPENBSD_2_8
Changes since 1.7.2.3: +56 -60 lines
Diff to previous 1.7.2.3 (colored) to branchpoint 1.7 (colored)
Pull in OpenSSH-2.9 to 2.8 branch.
Revision 1.22 / (download) - annotate - [select for diffs], Wed Apr 4 20:25:37 2001 UTC (23 years, 1 month ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_2_9_BASE
Branch point for: OPENBSD_2_9
Changes since 1.21: +3 -3 lines
Diff to previous 1.21 (colored)
more robust rekeying don't send channel data after rekeying is started.
Revision 1.21 / (download) - annotate - [select for diffs], Wed Apr 4 14:34:58 2001 UTC (23 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)
enable server side rekeying + some rekey related clientup. todo: we should not send any non-KEX messages after we send KEXINIT
Revision 1.20 / (download) - annotate - [select for diffs], Wed Apr 4 09:48:34 2001 UTC (23 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.19: +4 -3 lines
Diff to previous 1.19 (colored)
don't sent multiple kexinit-requests. send newkeys, block while waiting for newkeys. fix comments.
Revision 1.19 / (download) - annotate - [select for diffs], Tue Apr 3 23:32:12 2001 UTC (23 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.18: +40 -35 lines
Diff to previous 1.18 (colored)
undo parts of recent my changes: main part of keyexchange does not need dispatch-callbacks, since application data is delayed until the keyexchange completes (if i understand the drafts correctly). add some infrastructure for re-keying.
Revision 1.18 / (download) - annotate - [select for diffs], Tue Apr 3 19:53:29 2001 UTC (23 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.17: +27 -33 lines
Diff to previous 1.17 (colored)
move kex to kex*.c, used dispatch_set() callbacks for kex. should make rekeying easier.
Revision 1.17 / (download) - annotate - [select for diffs], Thu Mar 29 21:17:40 2001 UTC (23 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.16: +1 -6 lines
Diff to previous 1.16 (colored)
prepare for rekeying: move DH code to dh.c
Revision 1.16 / (download) - annotate - [select for diffs], Wed Mar 28 21:59:40 2001 UTC (23 years, 1 month ago) by provos
Branch: MAIN
Changes since 1.15: +3 -2 lines
Diff to previous 1.15 (colored)
forgot to include min and max params in hash, okay markus@
Revision 1.7.2.3 / (download) - annotate - [select for diffs], Wed Mar 21 19:46:25 2001 UTC (23 years, 2 months ago) by jason
Branch: OPENBSD_2_8
Changes since 1.7.2.2: +2 -2 lines
Diff to previous 1.7.2.2 (colored) to branchpoint 1.7 (colored)
Pull in OpenSSH-2.5.2 for 2.8 branch.
Revision 1.2.2.4 / (download) - annotate - [select for diffs], Wed Mar 21 18:52:47 2001 UTC (23 years, 2 months ago) by jason
Branch: OPENBSD_2_7
Changes since 1.2.2.3: +2 -2 lines
Diff to previous 1.2.2.3 (colored) to branchpoint 1.2 (colored) next main 1.3 (colored)
Pull in OpenSSH-2.5.2 for 2.7 branch.
Revision 1.2.2.3 / (download) - annotate - [select for diffs], Mon Mar 12 15:44:11 2001 UTC (23 years, 2 months ago) by jason
Branch: OPENBSD_2_7
Changes since 1.2.2.2: +15 -10 lines
Diff to previous 1.2.2.2 (colored) to branchpoint 1.2 (colored)
OpenSSH-2.5.1 for 2.7 patch branch
Revision 1.15 / (download) - annotate - [select for diffs], Mon Mar 5 17:17:20 2001 UTC (23 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)
generate a 2*need size (~300 instead of 1024/2048) random private
exponent during the DH key agreement. according to Niels (the great
german advisor) this is safe since /etc/primes contains strong
primes only.
References:
P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key
agreement with short exponents, In Advances in Cryptology
- EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.
Revision 1.7.2.2 / (download) - annotate - [select for diffs], Mon Feb 19 17:18:59 2001 UTC (23 years, 3 months ago) by jason
Branch: OPENBSD_2_8
Changes since 1.7.2.1: +0 -0 lines
Diff to previous 1.7.2.1 (colored) to branchpoint 1.7 (colored)
Pull in OpenSSH-2.5.1
Revision 1.7.2.1 / (download) - annotate - [select for diffs], Fri Feb 16 20:13:04 2001 UTC (23 years, 3 months ago) by jason
Branch: OPENBSD_2_8
Changes since 1.7: +15 -10 lines
Diff to previous 1.7 (colored)
Pull in OpenSSH 2.5.0
Revision 1.14 / (download) - annotate - [select for diffs], Sun Feb 11 12:59:24 2001 UTC (23 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.13: +4 -2 lines
Diff to previous 1.13 (colored)
1) clean up the MAC support for SSH-2
2) allow you to specify the MAC with 'ssh -m'
3) or the 'MACs' keyword in ssh(d)_config
4) add hmac-{md5,sha1}-96
ok stevesk@, provos@
Revision 1.13 / (download) - annotate - [select for diffs], Sun Feb 4 15:32:24 2001 UTC (23 years, 3 months ago) by stevesk
Branch: MAIN
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)
unexpand and remove end-of-line whitespace; ok markus@
Revision 1.12 / (download) - annotate - [select for diffs], Mon Jan 29 01:58:16 2001 UTC (23 years, 3 months ago) by niklas
Branch: MAIN
Changes since 1.11: +2 -0 lines
Diff to previous 1.11 (colored)
$OpenBSD$
Revision 1.11 / (download) - annotate - [select for diffs], Wed Dec 20 19:37:22 2000 UTC (23 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)
fix prototypes; from stevesk@pobox.com
Revision 1.10 / (download) - annotate - [select for diffs], Tue Dec 19 23:17:56 2000 UTC (23 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.9: +6 -6 lines
Diff to previous 1.9 (colored)
replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned' with u_char.
Revision 1.9 / (download) - annotate - [select for diffs], Fri Dec 15 17:30:14 2000 UTC (23 years, 5 months ago) by provos
Branch: MAIN
Changes since 1.8: +1 -0 lines
Diff to previous 1.8 (colored)
compute diffie-hellman in parallel between server and client. okay markus@
Revision 1.8 / (download) - annotate - [select for diffs], Sun Nov 12 19:50:37 2000 UTC (23 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.7: +1 -1 lines
Diff to previous 1.7 (colored)
add support for RSA to SSH2. please test. there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2. you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys. SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before. IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys. the option DSAAuthentication is replaced by PubkeyAuthetication.
Revision 1.2.2.2 / (download) - annotate - [select for diffs], Wed Nov 8 21:30:51 2000 UTC (23 years, 6 months ago) by jason
Branch: OPENBSD_2_7
Changes since 1.2.2.1: +26 -14 lines
Diff to previous 1.2.2.1 (colored) to branchpoint 1.2 (colored)
openssh-2.3.0 (again) for 2.7 branch
Revision 1.7 / (download) - annotate - [select for diffs], Thu Oct 12 14:21:12 2000 UTC (23 years, 7 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_2_8_BASE
Branch point for: OPENBSD_2_8
Changes since 1.6: +0 -1 lines
Diff to previous 1.6 (colored)
remove unused
Revision 1.6 / (download) - annotate - [select for diffs], Wed Oct 11 20:27:23 2000 UTC (23 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.5: +4 -6 lines
Diff to previous 1.5 (colored)
new cipher framework
Revision 1.5 / (download) - annotate - [select for diffs], Wed Oct 11 04:02:17 2000 UTC (23 years, 7 months ago) by provos
Branch: MAIN
Changes since 1.4: +22 -2 lines
Diff to previous 1.4 (colored)
First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company.
Revision 1.4 / (download) - annotate - [select for diffs], Thu Sep 7 20:27:51 2000 UTC (23 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.3: +0 -5 lines
Diff to previous 1.3 (colored)
cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
Revision 1.2.2.1 / (download) - annotate - [select for diffs], Mon Jun 12 02:37:34 2000 UTC (23 years, 11 months ago) by jason
Branch: OPENBSD_2_7
Changes since 1.2: +9 -4 lines
Diff to previous 1.2 (colored)
lovin' CVS... update patch branch to OpenSSH-2.1.1
Revision 1.3 / (download) - annotate - [select for diffs], Thu May 25 20:45:20 2000 UTC (23 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.2: +9 -4 lines
Diff to previous 1.2 (colored)
split kexinit/kexdh, factor out common code
Revision 1.2 / (download) - annotate - [select for diffs], Wed Apr 12 07:03:06 2000 UTC (24 years, 1 month ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_2_7_BASE
Branch point for: OPENBSD_2_7
Changes since 1.1: +2 -1 lines
Diff to previous 1.1 (colored)
check for reasonable public DH values
Revision 1.1 / (download) - annotate - [select for diffs], Mon Apr 3 20:06:16 2000 UTC (24 years, 1 month ago) by markus
Branch: MAIN
DSA, keyexchange, algorithm agreement for ssh2