#
68de26a4 |
| 30-Apr-2024 |
djm <djm@openbsd.org> |
add explict check for server hostkey type against HostkeyAlgorithms. Allows HostkeyAlgorithms to disable implicit fallback from certificate keys to plain keys. ok markus@
|
#
e6c7c102 |
| 23-Apr-2024 |
jsg <jsg@openbsd.org> |
correct indentation; no functional change ok tb@
|
#
52113de9 |
| 11-Jan-2024 |
djm <djm@openbsd.org> |
make DSA key support compile-time optional, defaulting to on
ok markus@
|
#
8f13aefc |
| 20-Nov-2023 |
djm <djm@openbsd.org> |
set errno=EAFNOSUPPORT when filtering addresses that don't match AddressFamily; yields slightly better error message if no address matches. bz#3526
|
#
4ff40062 |
| 15-Nov-2023 |
djm <djm@openbsd.org> |
when connecting via socket (the default case), filter addresses by AddressFamily if one was specified. Fixes the case where, if CanonicalizeHostname is enabled, ssh may ignore AddressFamily. bz5326;
when connecting via socket (the default case), filter addresses by AddressFamily if one was specified. Fixes the case where, if CanonicalizeHostname is enabled, ssh may ignore AddressFamily. bz5326; ok dtucker
show more ...
|
#
c611b7a9 |
| 10-Mar-2023 |
dtucker <dtucker@openbsd.org> |
Explicitly ignore return from fcntl(... FD_CLOEXEC) here too. Coverity CID 291853.
|
#
15d7c2bc |
| 05-Mar-2023 |
dtucker <dtucker@openbsd.org> |
Remove unused compat.h includes. We've previously removed a lot of the really old compatibility code, and with it went the need to include compat.h in most of the files that have it.
|
#
bf25c7a3 |
| 13-Jan-2023 |
djm <djm@openbsd.org> |
avoid printf("%s", NULL) if using ssh -oUserKnownHostsFile=none and a hostkey in one of the system known hosts file changes; ok dtucker@
|
#
8ff89c39 |
| 03-Nov-2022 |
djm <djm@openbsd.org> |
replace recently-added valid_domain() check for hostnames going to known_hosts with a more relaxed check for bad characters; previous commit broke address literals. Reported by/feedback from florian@
|
#
64416e99 |
| 24-Oct-2022 |
djm <djm@openbsd.org> |
Be more paranoid with host/domain names coming from the resolver: don't follow CNAMEs with invalid characters when canonicalising and never write a name with bad characters to a known_hosts file.
re
Be more paranoid with host/domain names coming from the resolver: don't follow CNAMEs with invalid characters when canonicalising and never write a name with bad characters to a known_hosts file.
reported by David Leadbeater, ok deraadt@
show more ...
|
#
1cd3c5a7 |
| 26-Aug-2022 |
djm <djm@openbsd.org> |
whitespace
|
#
b4a490f5 |
| 03-Jun-2022 |
dtucker <dtucker@openbsd.org> |
Add period at end of "not known by any other names" message. github PR#320 from jschauma, ok djm@
|
#
82d651da |
| 19-Dec-2021 |
djm <djm@openbsd.org> |
ssh-add side of destination constraints
Have ssh-add accept a list of "destination constraints" that allow restricting where keys may be used in conjunction with a ssh-agent/ssh that supports sessio
ssh-add side of destination constraints
Have ssh-add accept a list of "destination constraints" that allow restricting where keys may be used in conjunction with a ssh-agent/ssh that supports session ID/hostkey binding.
Constraints are specified as either "[user@]host-pattern" or "host-pattern>[user@]host-pattern".
The first form permits a key to be used to authenticate as the specified user to the specified host.
The second form permits a key that has previously been permitted for use at a host to be available via a forwarded agent to an additional host.
For example, constraining a key with "user1@host_a" and "host_a>host_b". Would permit authentication as "user1" at "host_a", and allow the key to be available on an agent forwarded to "host_a" only for authentication to "host_b". The key would not be visible on agent forwarded to other hosts or usable for authentication there.
Internally, destination constraints use host keys to identify hosts. The host patterns are used to obtain lists of host keys for that destination that are communicated to the agent. The user/hostkeys are encoded using a new restrict-destination-v00@openssh.com key constraint.
host keys are looked up in the default client user/system known_hosts files. It is possible to override this set on the command-line.
feedback Jann Horn & markus@ ok markus@
show more ...
|
#
bdfa5c1b |
| 02-Jul-2021 |
dtucker <dtucker@openbsd.org> |
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as som
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
show more ...
|
#
5a3cda13 |
| 25-Jun-2021 |
dtucker <dtucker@openbsd.org> |
Use better language to refer to the user. From l1ving via github PR#250, ok jmc@
|
#
86a8bd52 |
| 08-Jun-2021 |
djm <djm@openbsd.org> |
Allow argv_split() to optionally terminate tokenisation when it encounters an unquoted comment.
Add some additional utility function for working with argument vectors, since we'll be switching to us
Allow argv_split() to optionally terminate tokenisation when it encounters an unquoted comment.
Add some additional utility function for working with argument vectors, since we'll be switching to using them to parse ssh/sshd_config shortly.
ok markus@ as part of a larger diff; tested in snaps
show more ...
|
#
74cb32ae |
| 03-Apr-2021 |
djm <djm@openbsd.org> |
highly polished whitespace, mostly fixing spaces-for-tab and bad indentation on continuation lines. Prompted by GHPR#185
|
#
0daa75b7 |
| 03-Mar-2021 |
sthen <sthen@openbsd.org> |
typo in other_hostkeys_message() display output, ok djm
|
#
fb196569 |
| 26-Jan-2021 |
djm <djm@openbsd.org> |
move check_host_cert() from sshconnect,c to sshkey.c and refactor it to make it more generally usable and testable.
ok markus@
|
#
ed5bd129 |
| 22-Dec-2020 |
djm <djm@openbsd.org> |
add a ssh_config KnownHostsCommand that allows the client to obtain known_hosts data from a command in addition to the usual files.
The command accepts bunch of %-expansions, including details of th
add a ssh_config KnownHostsCommand that allows the client to obtain known_hosts data from a command in addition to the usual files.
The command accepts bunch of %-expansions, including details of the connection and the offered server host key. Note that the command may be invoked up to three times per connection (see the manpage for details).
ok markus@
show more ...
|
#
562f8831 |
| 20-Dec-2020 |
djm <djm@openbsd.org> |
plumb ssh_conn_info through to sshconnect.c; feedback/ok markus@
|
#
352e3450 |
| 20-Dec-2020 |
djm <djm@openbsd.org> |
allow UserKnownHostsFile=none; feedback and ok markus@
|
#
4ac03e1d |
| 20-Dec-2020 |
djm <djm@openbsd.org> |
load_hostkeys()/hostkeys_foreach() variants for FILE*
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly.
Original load_hostkeys(
load_hostkeys()/hostkeys_foreach() variants for FILE*
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line structs that is passed directly from the load_hostkeys() and hostkeys_foreach() call. This is a lightweight way to annotate results between different invocations of load_hostkeys().
ok markus@
show more ...
|
#
05bbb3d3 |
| 27-Nov-2020 |
djm <djm@openbsd.org> |
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (
Set the specified TOS/DSCP for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ok dtucker@
show more ...
|
#
8feb28b8 |
| 22-Nov-2020 |
djm <djm@openbsd.org> |
when mentioning that the host key has changed, don't report the type because it is ambiguous as to whether it referred to the known or new host key. bz3216; ok dtucker@
|