summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/auth-options.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* highly polished whitespace, mostly fixing spaces-for-tab and baddjm2021-04-031-2/+2
| | | | indentation on continuation lines. Prompted by GHPR#185
* use the new variant log macros instead of prepending __func__ anddjm2020-10-181-8/+7
| | | | appending ssh_err(r) manually; ok markus@
* support for requiring user verified FIDO keys in sshddjm2020-08-271-5/+15
| | | | | | | | | | | This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it. feedback and ok markus@
* fix null-deref on calloc failure; ok djmmarkus2020-03-061-4/+6
|
* change explicit_bzero();free() to freezero()jsg2020-02-261-3/+2
| | | | | | | | While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry. ok deraadt@ djm@
* add a "no-touch-required" option for authorized_keys and a similardjm2019-11-251-12/+26
| | | | | | | | extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus
* Plug mem leaks on error paths, based in part on github pr#120 fromdtucker2019-09-131-1/+2
| | | | David Carlier. ok djm@.
* lots of things were relying on libcrypto headers to transitivelydjm2019-09-061-1/+2
| | | | | include various system headers (mostly stdlib.h); include them explicitly
* move authorized_keys option parsing helpsers to misc.c and makedjm2019-09-031-70/+1
| | | | them public; ok markus@
* cap the number of permiopen/permitlisten directives we're willing todjm2019-07-091-2/+2
| | | | parse on a single authorized_keys line; ok deraadt@
* Some asprintf() calls were checked < 0, rather than the precise == -1.deraadt2019-06-271-2/+2
| | | | ok millert nicm tb, etc
* Allow ssh_config IdentityAgent directive to accept environment variabledjm2018-10-031-7/+10
| | | | names as well as explicit paths. ok dtucker@
* allow bare port numbers to appear in PermitListen directives, e.g.djm2018-06-191-5/+17
| | | | | | | | | | | | PermitListen 2222 8080 is equivalent to: PermitListen *:2222 *:8080 Some bonus manpage improvements, mostly from markus@ "looks fine" markus@
* some permitlisten fixes from markus@ that I missed in my insomnia-fueleddjm2018-06-071-4/+4
| | | | commits last night
* fix regression caused by recent permitlisten option commit:djm2018-06-071-5/+5
| | | | | authorized_keys lines that contained permitopen/permitlisten were being treated as invalid.
* permitlisten option for authorized_keys; ok markus@djm2018-06-061-46/+94
|
* relax checking of authorized_keys environment="..." options to allowdjm2018-04-061-2/+2
| | | | | underscores in variable names (regression introduced in 7.7). bz2851, ok deraadt@
* rename recently-added "valid-before" key restriction to "expiry-time"djm2018-03-141-2/+2
| | | | | as the former is confusing wrt similar terminology in X.509; pointed out by jsing@
* add valid-before="[time]" authorized_keys option. A simple way ofdjm2018-03-121-3/+29
| | | | giving a key an expiry date. ok markus@
* switch over to the new authorized_keys options API and remove thedjm2018-03-031-647/+3
| | | | | | | | | legacy one. Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines. feedback and ok markus@
* Introduce a new API for handling authorized_keys options. This APIdjm2018-03-031-1/+828
| | | | | | | | | parses options to a dedicated structure rather than the old API's approach of setting global state. It also includes support for merging options, e.g. from authorized_keys, authorized_principals and/or certificates. feedback and ok markus@
* refactor channels.cdjm2017-09-121-3/+8
| | | | | | | | | | | | | | | | | | Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh. Explicitly pass "struct ssh" to all channels functions. Replace use of the legacy packet APIs in channels.c. Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later. ok markus@
* make sure we don't pass a NULL string to vfprintf (triggered by themarkus2017-05-311-2/+3
| | | | principals-command regress test); ok bluhm
* When a forced-command appears in both a certificate and andjm2016-11-301-6/+21
| | | | | | | | | | authorized keys/principals command= restriction, refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced- command override the other could be a bit confused and more error-prone. Pointed out by Jann Horn of Project Zero; ok dtucker@
* refactor canohost.c: move functions that cache results closer to thedjm2016-03-071-5/+8
| | | | | | | places that use them (authn and session code). After this, no state is cached in canohost.c feedback and ok markus@
* Remove NULL-checks before free().mmcc2015-12-101-17/+9
| | | | ok dtucker@
* Add a new authorized_keys option "restrict" that includes all currentdjm2015-11-161-30/+57
| | | | | | | | | | | | | | and future key restrictions (no-*-forwarding, etc). Also add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty". This simplifies the task of setting up restricted keys and ensures they are maximally-restricted, regardless of any permissions we might implement in the future. Example: restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1... Idea from Jann Horn; ok markus@
* delete support for legacy v00 certificates; "sure" markus@ dtucker@djm2015-07-031-30/+16
|
* Don't make parsing of authorized_keys' environment= option conditionaldjm2015-05-011-9/+14
| | | | | | | | on PermitUserEnv - always parse it, but only use the result if the option is enabled. This prevents the syntax of authorized_keys changing depending on which sshd_config options were enabled. bz#2329; based on patch from coladict AT gmail.com, ok dtucker@
* unknown certificate extensions are non-fatal, so don't fataldjm2015-04-221-2/+2
| | | | | when they are encountered; bz#2387 reported by Bob Van Zant; ok dtucker@
* swith auth-options to new sshbuf/sshkey; ok djm@markus2015-01-141-44/+38
|
* Add support for Unix domain socket forwarding. A remote TCP portmillert2014-07-151-2/+3
| | | | | | | | may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
* New key API: refactor key-related functions to be more library-like,djm2014-06-241-7/+7
| | | | | | | | | existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
* simplify freeing of source-address certificate restrictiondjm2013-12-191-7/+7
|
* use calloc for all structure allocations; from markus@djm2013-11-081-2/+2
|
* no need to include monitor_wrap.h and ssh-gss.hmarkus2013-11-021-5/+1
|
* fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@djm2013-07-121-3/+5
|
* bye, bye xfree(); ok markus@djm2013-05-171-30/+30
|
* make AllowTcpForwarding accept "local" and "remote" in addition to itsdjm2012-12-021-2/+2
| | | | | current "yes"/"no" to allow the server to specify whether just local or remote TCP forwarding is enabled. ok markus@
* remove explict search for \0 in packet strings, this job is now donedjm2011-10-181-15/+1
| | | | implicitly by buffer_get_cstring; ok markus
* Add wildcard support to PermitOpen, allowing things like "PermitOpendtucker2011-09-231-2/+2
| | | | localhost:*". bz #1857, ok djm markus.
* don't send the actual forced command in a debug message; ok markus deraadtdjm2010-12-241-2/+2
|
* Add buffer_get_cstring() and related functions that verify that thedjm2010-08-311-4/+4
| | | | | | | | | | | | | string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function. Use the new API in a few sensitive places. * actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
* Move the permit-* options to the non-critical "extensions" field for v01djm2010-05-201-102/+180
| | | | | | | | certificates. The logic is that if another implementation fails to implement them then the connection just loses features rather than fails outright. ok markus@
* add some optional indirection to matching of principal names listeddjm2010-05-071-1/+42
| | | | | | | | | | | | | | | | | | | | | in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@
* revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with thedjm2010-04-161-10/+11
| | | | | | | | | | | | | | | | | | following changes: move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash Rename "constraints" field to "critical options" Add a new non-critical "extensions" field Add a serial number The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) ok markus@
* spelling in error message. ok djm kettenisstevesk2010-03-161-3/+3
|
* Hold authentication debug messages until after successful authentication.dtucker2010-03-071-8/+1
| | | | | Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
* "force-command" is not spelled "forced-command"; spotted bydjm2010-03-041-2/+2
| | | | imorgan AT nas.nasa.gov
* reject strings with embedded ASCII nul chars in certificate key IDs,djm2010-03-031-8/+20
| | | | principal names and constraints
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.