![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / usr.bin / ssh
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.29 / (download) - annotate - [select for diffs], Fri May 17 00:30:24 2024 UTC (4 hours, 33 minutes ago) by djm
Branch: MAIN
CVS Tags: HEAD
Changes since 1.28: +11 -6 lines
Diff to previous 1.28 (colored)
Start the process of splitting sshd into separate binaries. This step splits sshd into a listener and a session binary. More splits are planned. After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs. This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary. feedback/ok markus@ deraadt@ NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out.
Revision 1.28 / (download) - annotate - [select for diffs], Tue Jan 9 21:39:14 2024 UTC (4 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.27: +12 -2 lines
Diff to previous 1.27 (colored)
adapt ssh_api.c code for kex-strict from markus@ ok me
Revision 1.27 / (download) - annotate - [select for diffs], Sat Apr 3 06:18:41 2021 UTC (3 years, 1 month ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1,
OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.26: +3 -3 lines
Diff to previous 1.26 (colored)
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
Revision 1.26 / (download) - annotate - [select for diffs], Wed Jan 27 10:05:28 2021 UTC (3 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.25: +1 -5 lines
Diff to previous 1.25 (colored)
make ssh->kex->session_id a sshbuf instead of u_char*/size_t and use that instead of global variables containing copies of it. feedback/ok markus@
Revision 1.25 / (download) - annotate - [select for diffs], Wed Jan 27 09:26:54 2021 UTC (3 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.24: +2 -2 lines
Diff to previous 1.24 (colored)
remove global variable used to stash compat flags and use the purpose-built ssh->compat variable instead; feedback/ok markus@
Revision 1.24 / (download) - annotate - [select for diffs], Tue Dec 29 00:59:15 2020 UTC (3 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.23: +3 -3 lines
Diff to previous 1.23 (colored)
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519). The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761. The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html). Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself (note this both the updated method and the one that it replaced are disabled by default)
Revision 1.23 / (download) - annotate - [select for diffs], Fri Dec 4 02:29:56 2020 UTC (3 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.22: +4 -1 lines
Diff to previous 1.22 (colored)
make ssh_free(NULL) a no-op
Revision 1.22 / (download) - annotate - [select for diffs], Sun Oct 18 11:32:02 2020 UTC (3 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.21: +10 -10 lines
Diff to previous 1.21 (colored)
use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@
Revision 1.21 / (download) - annotate - [select for diffs], Thu Aug 27 01:06:18 2020 UTC (3 years, 8 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.20: +5 -5 lines
Diff to previous 1.20 (colored)
support for user-verified FIDO keys FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token. This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication. feedback markus@ and Pedro Martelletto; ok markus@
Revision 1.20 / (download) - annotate - [select for diffs], Wed Jul 1 16:28:31 2020 UTC (3 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.19: +2 -4 lines
Diff to previous 1.19 (colored)
free kex in ssh_packet_close; ok djm semarie
Revision 1.19 / (download) - annotate - [select for diffs], Thu Oct 31 21:23:19 2019 UTC (4 years, 6 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.18: +5 -4 lines
Diff to previous 1.18 (colored)
Refactor signing - use sshkey_sign for everything, including the new U2F signatures. Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that. Suggested by / ok markus@
Revision 1.18 / (download) - annotate - [select for diffs], Fri Sep 13 04:36:43 2019 UTC (4 years, 8 months ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.17: +19 -15 lines
Diff to previous 1.17 (colored)
Plug mem leaks on error paths, based in part on github pr#120 from David Carlier. ok djm@.
Revision 1.17 / (download) - annotate - [select for diffs], Fri Sep 6 05:23:55 2019 UTC (4 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.16: +8 -1 lines
Diff to previous 1.16 (colored)
fixes for !WITH_OPENSSL compilation; ok dtucker@
Revision 1.16 / (download) - annotate - [select for diffs], Fri Sep 6 04:53:27 2019 UTC (4 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.15: +6 -1 lines
Diff to previous 1.15 (colored)
lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly
Revision 1.15 / (download) - annotate - [select for diffs], Mon Jan 21 10:38:54 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.14: +17 -17 lines
Diff to previous 1.14 (colored)
merge kexkem[cs] into kexgen from markus@ ok djm@
Revision 1.14 / (download) - annotate - [select for diffs], Mon Jan 21 10:29:56 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.13: +3 -3 lines
Diff to previous 1.13 (colored)
use KEM API for vanilla ECDH from markus@ ok djm@
Revision 1.13 / (download) - annotate - [select for diffs], Mon Jan 21 10:28:02 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.12: +11 -11 lines
Diff to previous 1.12 (colored)
use KEM API for vanilla DH KEX from markus@ ok djm@
Revision 1.12 / (download) - annotate - [select for diffs], Mon Jan 21 10:24:09 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.11: +3 -3 lines
Diff to previous 1.11 (colored)
use KEM API for vanilla c25519 KEX
Revision 1.11 / (download) - annotate - [select for diffs], Mon Jan 21 10:20:12 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.10: +3 -1 lines
Diff to previous 1.10 (colored)
Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default. introduce KEM API; a simplified framework for DH-ish KEX methods. from markus@ feedback & ok djm@
Revision 1.10 / (download) - annotate - [select for diffs], Sat Jan 19 21:43:56 2019 UTC (5 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.9: +8 -7 lines
Diff to previous 1.9 (colored)
remove last references to active_state with & ok markus@
Revision 1.9 / (download) - annotate - [select for diffs], Thu Dec 27 03:25:25 2018 UTC (5 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.8: +70 -55 lines
Diff to previous 1.8 (colored)
move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server. Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn). Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
Revision 1.8 / (download) - annotate - [select for diffs], Sun Apr 30 23:13:25 2017 UTC (7 years ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4,
OPENBSD_6_3_BASE,
OPENBSD_6_3,
OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.7: +1 -2 lines
Diff to previous 1.7 (colored)
remove compat20/compat13/compat15 variables ok markus@
Revision 1.7 / (download) - annotate - [select for diffs], Wed May 4 14:22:33 2016 UTC (8 years ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1,
OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.6: +1 -3 lines
Diff to previous 1.6 (colored)
move SSH_MSG_NONE, so we don't have to include ssh1.h; ok deraadt@
Revision 1.6 / (download) - annotate - [select for diffs], Mon May 2 10:26:04 2016 UTC (8 years ago) by djm
Branch: MAIN
Changes since 1.5: +7 -1 lines
Diff to previous 1.5 (colored)
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03 diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group) based on patch from Mark D. Baushke and Darren Tucker ok markus@
Revision 1.5 / (download) - annotate - [select for diffs], Fri Dec 4 16:41:28 2015 UTC (8 years, 5 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.4: +8 -8 lines
Diff to previous 1.4 (colored)
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)
based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt;
with & ok djm@
Revision 1.4 / (download) - annotate - [select for diffs], Mon Feb 16 22:13:32 2015 UTC (9 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8,
OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.3: +4 -3 lines
Diff to previous 1.3 (colored)
Revise hostkeys@openssh.com hostkey learning extension. The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client. Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered. ok markus@
Revision 1.3 / (download) - annotate - [select for diffs], Fri Jan 30 01:13:33 2015 UTC (9 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.2: +3 -2 lines
Diff to previous 1.2 (colored)
avoid more fatal/exit in the packet.c paths that ssh-keyscan uses; feedback and "looks good" markus@
Revision 1.2 / (download) - annotate - [select for diffs], Mon Jan 26 06:10:03 2015 UTC (9 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.1: +9 -7 lines
Diff to previous 1.1 (colored)
correctly match ECDSA subtype (== curve) for offered/recevied host keys. Fixes connection-killing host key mismatches when a server offers multiple ECDSA keys with different curve type (an extremely unlikely configuration). ok markus, "looks mechanical" deraadt@
Revision 1.1 / (download) - annotate - [select for diffs], Mon Jan 19 20:30:23 2015 UTC (9 years, 3 months ago) by markus
Branch: MAIN
add experimental api for packet layer; ok djm@