#
7a5ec239 |
| 01-May-2015 |
djm <djm@openbsd.org> |
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
#
682e9f39 |
| 25-Feb-2015 |
djm <djm@openbsd.org> |
don't leak validity of user in "too many authentication failures" disconnect message; reported by Sebastian Reitenbach
|
#
ace78deb |
| 20-Jan-2015 |
deraadt <deraadt@openbsd.org> |
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
|
#
3dbedef4 |
| 21-Dec-2014 |
djm <djm@openbsd.org> |
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64.
Feedback and ok naddy@ markus@
|
#
5885b59c |
| 04-Dec-2014 |
djm <djm@openbsd.org> |
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
#
a0215499 |
| 15-Jul-2014 |
millert <millert@openbsd.org> |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation o
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
show more ...
|
#
2f1e2083 |
| 03-Jul-2014 |
djm <djm@openbsd.org> |
make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
|
#
12491775 |
| 29-Apr-2014 |
markus <markus@openbsd.org> |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
3e2e18ec |
| 19-May-2013 |
djm <djm@openbsd.org> |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. C
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
show more ...
|
#
0d40fefd |
| 17-May-2013 |
djm <djm@openbsd.org> |
bye, bye xfree(); ok markus@
|
#
b2493a26 |
| 06-Feb-2013 |
dtucker <dtucker@openbsd.org> |
Fix comment, from jfree.e1 at gmail
|
#
bc6ad73f |
| 17-Jan-2013 |
djm <djm@openbsd.org> |
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
show more ...
|
#
c76b1e7a |
| 14-Dec-2012 |
dtucker <dtucker@openbsd.org> |
use correct string in error message; from rustybsd at gmx.fr
|
#
e806a6a0 |
| 02-Dec-2012 |
djm <djm@openbsd.org> |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial"
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
show more ...
|
#
ed4ad9c0 |
| 30-Oct-2012 |
djm <djm@openbsd.org> |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
show more ...
|
#
b5550cda |
| 13-May-2012 |
dtucker <dtucker@openbsd.org> |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
|
#
98b1f305 |
| 11-Apr-2012 |
djm <djm@openbsd.org> |
Support "none" as an argument for AuthorizedPrincipalsFile to indicate no file should be read.
|
#
b802ffac |
| 23-May-2011 |
djm <djm@openbsd.org> |
make secure_filename() spam debug logs less
|
#
3d892b28 |
| 23-May-2011 |
djm <djm@openbsd.org> |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in ssh
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
show more ...
|
#
f7f33c9d |
| 11-May-2011 |
djm <djm@openbsd.org> |
remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
|
#
4c771e0c |
| 29-Nov-2010 |
djm <djm@openbsd.org> |
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that
automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
show more ...
|
#
948aa8d2 |
| 23-Nov-2010 |
djm <djm@openbsd.org> |
use strict_modes already passed as function argument over referencing global options.strict_modes
|
#
58056d14 |
| 04-Aug-2010 |
djm <djm@openbsd.org> |
enable certificates for hostbased authentication, from Iain Morgan; "looks ok" markus@
|
#
4497fd87 |
| 22-Jun-2010 |
djm <djm@openbsd.org> |
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with L
queue auth debug messages for bad ownership or permissions on the user's keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
show more ...
|
#
b25a37f4 |
| 07-May-2010 |
djm <djm@openbsd.org> |
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ab
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names.
If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
feedback and ok markus@
show more ...
|