summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/auth-options.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Add support for certificate key types for users and hosts.djm2010-02-261-1/+149
| | | | | | | | | | | | | | | | | | | | | | | | OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
* another chunk of a2port() diff that got away. wtfdjm??djm2009-01-221-3/+3
|
* support CIDR address matching in .ssh/authorized_keys from="..." stanzasdjm2008-06-101-8/+17
| | | | ok and extensive testing dtucker@
* Implement a channel success/failure status confirmation callbackdjm2008-05-081-1/+2
| | | | | | | | | | | | | mechanism. Each channel maintains a queue of callbacks, which will be drained in order (RFC4253 guarantees confirm messages are not reordered within an channel). Also includes a abandonment callback to clean up if a channel is closed without sending confirmation messages. This probably shouldn't happen in compliant implementations, but it could be abused to leak memory. ok markus@ (as part of a larger diff)
* add no-user-rc authorized_keys option to disable execution of ~/.ssh/rcdjm2008-03-261-1/+10
|
* almost entirely get rid of the culture of ".h files that include .h files"deraadt2006-08-031-4/+10
| | | | | ok djm, sort of ok stevesk makes the pain stop in one easy step
* move #include <string.h> out of includes.hstevesk2006-07-221-1/+2
|
* Use '\0' rather than 0 to terminates strings; ok djm@dtucker2006-07-171-6/+6
|
* move #include <netdb.h> out of includes.h; ok djm@stevesk2006-07-121-1/+2
|
* move #include <pwd.h> out of includes.h; ok markus@stevesk2006-07-061-1/+5
|
* Put $OpenBSD$ tags back (as comments) to replace the RCSID()s thatdjm2006-03-251-0/+1
| | | | Theo nuked - our scripts to sync -portable need them in the files
* RCSID() can diederaadt2006-03-191-1/+0
|
* two changes to the new ssh tunnel support. this breaks compatibilityreyk2005-12-081-2/+2
| | | | | | | | | | | | with the initial commit but is required for a portable approach. - make the tunnel id u_int and platform friendly, use predefined types. - support configuration of layer 2 (ethernet) or layer 3 (point-to-point, default) modes. configuration is done using the Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option in sshd_config(5). ok djm@, man page bits by jmc@
* Add support for tun(4) forwarding over OpenSSH, based on an idea andreyk2005-12-061-1/+40
| | | | | | | | | | | | initial channel code bits by markus@. This is a simple and easy way to use OpenSSH for ad hoc virtual private network connections, e.g. administrative tunnels or secure wireless access. It's based on a new ssh channel and works similar to the existing TCP forwarding support, except that it depends on the tun(4) network interface on both ends of the connection for layer 2 or layer 3 tunneling. This diff also adds support for LocalCommand in the ssh(1) client. ok djm@, markus@, jmc@ (manpages), tested and discussed with others
* spacingderaadt2005-03-101-2/+2
|
* spacingderaadt2005-03-101-3/+3
|
* bz#413: allow optional specification of bind address for port forwardings.djm2005-03-011-12/+16
| | | | | | | | Patch originally by Dan Astorian, but worked on by several people Adds GatewayPorts=clientspecified option on server to allow remote forwards to bind to client-specified ports. ok markus@
* deprecate VerifyReverseMapping since it's dangerous if combinedmarkus2003-06-021-2/+2
| | | | | | | with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
* rename log() into logit() to avoid name conflict. markus ok, from netbsditojun2003-04-081-3/+3
|
* add PermitUserEnvironment (off by default!); from dot@dotat.at; ok provos, deraadtmarkus2002-07-301-2/+3
|
* unneeded includesstevesk2002-07-211-3/+1
|
* move the packet_send_debug handling from auth-options.c to auth.c; ok provos@markus2002-05-131-57/+19
|
* clean up prototypesmarkus2002-03-191-2/+2
|
* integrate privilege separated openssh; its turned off by default for now.provos2002-03-181-15/+65
| | | | work done by me and markus@
* s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@markus2002-01-291-2/+2
|
* validate ports for permitopen key file option. add host/portstevesk2001-08-301-17/+15
| | | | alternative syntax for IPv6. ok markus@
* move ip+hostname check to match.cmarkus2001-06-241-14/+5
|
* undo the .c file split, just merge the header and keep the cvs historymarkus2001-05-311-2/+2
|
* channel layer cleanup: merge header files and split .c filesmarkus2001-05-301-2/+2
|
* ignore permitopen="host:port" if AllowTcpForwarding==nomarkus2001-03-181-2/+3
|
* implement "permitopen" key option, restricts -L style forwarding tomarkus2001-03-161-4/+58
| | | | to specified host:port pairs. based on work by harlan@genua.de
* missing xfree, deny key on parse error; ok stevesk@markus2001-03-131-4/+8
|
* reset options if no option is given; from han.holl@prismant.nlmarkus2001-02-091-3/+4
|
* make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@markus2001-02-031-57/+65
|
* split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.markus2001-01-211-2/+4
| | | | rename util.[ch] -> misc.[ch]
* pass the filename to auth_parse_options()markus2001-01-201-12/+14
|
* move ssh1 definitions to ssh1.h, pathnames to pathnames.hmarkus2001-01-191-9/+10
|
* fix commentmarkus2001-01-131-5/+1
|
* replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'markus2000-12-191-2/+2
| | | | with u_char.
* case insensitive key options; from stevesk@sweden.hp.commarkus2000-11-151-8/+8
|
* clear options on every call.markus2000-10-091-20/+28
|
* some more Copyright fixesmarkus2000-09-071-24/+1
|
* cleanup copyright notices on all files. I have attempted to be accurate withderaadt2000-09-071-1/+39
| | | | | | | the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
* OpenBSD tagmarkus2000-06-201-1/+1
|
* split auth-rsa option parsing into auth-optionsmarkus2000-06-181-0/+208
add options support to authorized_keys2
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.