#
8904d296 |
| 19-Jan-2019 |
djm <djm@openbsd.org> |
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old
begin landing remaining refactoring of packet parsing API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps.
with & ok markus@
show more ...
|
#
db83af3c |
| 17-Jan-2019 |
djm <djm@openbsd.org> |
include time.h for time(3)/nanosleep(2); from Ian McKellar
|
#
655987b9 |
| 16-Nov-2018 |
djm <djm@openbsd.org> |
use path_absolute() for pathname checks; from Manoj Ampalam
|
#
1678cdc9 |
| 12-Sep-2018 |
djm <djm@openbsd.org> |
log certificate fingerprint in authentication success/failure message (previously we logged only key ID and CA key fingerprint).
ok markus@
|
#
cf6a624d |
| 11-Jul-2018 |
martijn <martijn@openbsd.org> |
s/wuth/with/ in comment
|
#
25ae3b00 |
| 09-Jul-2018 |
markus <markus@openbsd.org> |
sshd: switch authentication to sshbuf API; ok djm@
|
#
76acd6a7 |
| 06-Jun-2018 |
djm <djm@openbsd.org> |
permitlisten option for authorized_keys; ok markus@
|
#
ef0a268e |
| 01-Jun-2018 |
djm <djm@openbsd.org> |
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for thi
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
show more ...
|
#
ddf3e44b |
| 25-May-2018 |
djm <djm@openbsd.org> |
Do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
|
#
45f84e9d |
| 12-Mar-2018 |
djm <djm@openbsd.org> |
add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@
|
#
40d17fe2 |
| 03-Mar-2018 |
djm <djm@openbsd.org> |
switch over to the new authorized_keys options API and remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines.
feedback and ok markus@
|
#
879b4d6e |
| 08-Jan-2018 |
markus <markus@openbsd.org> |
move subprocess() so scp/sftp do not need uidswap.o; ok djm@
|
#
7b28dfb0 |
| 12-Sep-2017 |
djm <djm@openbsd.org> |
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later.
ok markus@
show more ...
|
#
9cc5c984 |
| 18-Aug-2017 |
djm <djm@openbsd.org> |
Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition.
feedback & ok dtucker@
|
#
0fafb8f1 |
| 24-Jun-2017 |
djm <djm@openbsd.org> |
refactor authentication logging
optionally record successful auth methods and public credentials used in a file accessible to user sessions
feedback and ok markus@
|
#
40a7db51 |
| 30-May-2017 |
markus <markus@openbsd.org> |
switch from Key typedef with struct sshkey; ok djm@
|
#
945729c7 |
| 17-May-2017 |
djm <djm@openbsd.org> |
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
|
#
1cd0d238 |
| 15-Dec-2016 |
dtucker <dtucker@openbsd.org> |
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@
|
#
c4421495 |
| 08-Nov-2016 |
djm <djm@openbsd.org> |
unbreak DenyUsers; reported by henning@
|
#
771b9066 |
| 06-Nov-2016 |
djm <djm@openbsd.org> |
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
show more ...
|
#
3d9665d3 |
| 13-Aug-2016 |
markus <markus@openbsd.org> |
remove ssh1 server code; ok djm@
|
#
5a046c07 |
| 15-Jun-2016 |
dtucker <dtucker@openbsd.org> |
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
show more ...
|
#
1667b834 |
| 07-Mar-2016 |
djm <djm@openbsd.org> |
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c
feedback and ok markus@
|
#
bf881d8d |
| 21-Aug-2015 |
djm <djm@openbsd.org> |
fix inverted logic that broke PermitRootLogin; reported by Mantas Mikulenas; ok markus@
|
#
50779363 |
| 06-Aug-2015 |
deraadt <deraadt@openbsd.org> |
add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is en
add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
show more ...
|