#
13202d0a |
| 19-Jan-2015 |
markus <markus@openbsd.org> |
adapt kex to sshbuf and struct ssh; ok djm@
|
#
8eeb9388 |
| 19-Jan-2015 |
markus <markus@openbsd.org> |
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c)
update packet.c & isolate, introduce struct ssh a) switch packet.c to buffer api and isolate per-connection info into struct ssh b) (de)serialization of the state is moved from monitor to packet.c c) the old packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and integrated into packet.c with and ok djm@
show more ...
|
#
b7e9f6c7 |
| 14-Jan-2015 |
djm <djm@openbsd.org> |
move authfd.c and its tentacles to the new buffer/key API; ok markus@
|
#
dc9cac76 |
| 13-Jan-2015 |
djm <djm@openbsd.org> |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
|
#
eb018c05 |
| 22-Dec-2014 |
djm <djm@openbsd.org> |
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using
remember which public keys have been used for authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys.
ok markus@
show more ...
|
#
a0215499 |
| 15-Jul-2014 |
millert <millert@openbsd.org> |
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation o
Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
show more ...
|
#
ea2d8289 |
| 24-Jun-2014 |
djm <djm@openbsd.org> |
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matt
New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
show more ...
|
#
87f0df62 |
| 03-May-2014 |
markus <markus@openbsd.org> |
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originall
unbreak compression, by re-init-ing the compression code in the post-auth child. the new buffer code is more strict, and requires buffer_init() while the old code was happy after a bzero(); originally from djm@
show more ...
|
#
12491775 |
| 29-Apr-2014 |
markus <markus@openbsd.org> |
make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
|
#
c671dcf1 |
| 02-Feb-2014 |
djm <djm@openbsd.org> |
convert memset of potentially-private data to explicit_bzero()
|
#
69881b76 |
| 31-Jan-2014 |
tedu <tedu@openbsd.org> |
replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
|
#
79b68f81 |
| 29-Jan-2014 |
djm <djm@openbsd.org> |
remove experimental, never-enabled JPAKE code; ok markus@
|
#
37dd1b55 |
| 04-Nov-2013 |
markus <markus@openbsd.org> |
fix rekeying for KEX_C25519_SHA256; noted by dtucker@
|
#
08daa7c0 |
| 19-Jul-2013 |
markus <markus@openbsd.org> |
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
|
#
8ee4e65c |
| 21-Jun-2013 |
djm <djm@openbsd.org> |
for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
|
#
3e2e18ec |
| 19-May-2013 |
djm <djm@openbsd.org> |
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. C
Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
show more ...
|
#
0d40fefd |
| 17-May-2013 |
djm <djm@openbsd.org> |
bye, bye xfree(); ok markus@
|
#
53eed79d |
| 16-May-2013 |
dtucker <dtucker@openbsd.org> |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
89f57029 |
| 07-Mar-2013 |
markus <markus@openbsd.org> |
add submethod support to AuthenticationMethods; ok and freedback djm@
|
#
af9b1943 |
| 07-Mar-2013 |
djm <djm@openbsd.org> |
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the cli
reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@
show more ...
|
#
5fcdafde |
| 11-Dec-2012 |
markus <markus@openbsd.org> |
drain the log messages after receiving the keystate from the unpriv child. otherwise it might block while sending. ok djm@
|
#
e806a6a0 |
| 02-Dec-2012 |
djm <djm@openbsd.org> |
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial"
Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state.
Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive.
Fix multiple authentication when one of the methods is keyboard-interactive.
ok markus@
show more ...
|
#
0613b404 |
| 04-Nov-2012 |
djm <djm@openbsd.org> |
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the meth
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
show more ...
|
#
e36714a0 |
| 22-Jun-2012 |
dtucker <dtucker@openbsd.org> |
remove dead code following 'for (;;)' loops. From Steve.McClellan at radisys com, ok markus@
|
#
148c40fb |
| 05-Jan-2012 |
djm <djm@openbsd.org> |
memleak on error path
|