summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/auth.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add a sshd_config "Include" directive to allow inclusion of files.djm2020-01-311-2/+3
| | | | | | This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
* Replace all calls to signal(2) with a wrapper around sigaction(2).dtucker2020-01-231-2/+2
| | | | | | This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
* strdup may return NULL if memory allocation fails. Use the safer xstrduptobhe2019-12-161-7/+7
| | | | | | which fatals on allocation failures. ok markus@
* add a "no-touch-required" option for authorized_keys and a similardjm2019-11-251-3/+4
| | | | | | | | extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus
* potential NULL dereference for revoked hostkeys; reported bydjm2019-10-161-2/+2
| | | | krishnaiah bommu
* remove some duplicate #includesdjm2019-10-021-2/+1
|
* lots of things were relying on libcrypto headers to transitivelydjm2019-09-061-1/+2
| | | | | include various system headers (mostly stdlib.h); include them explicitly
* When system calls indicate an error they return -1, not some arbitraryderaadt2019-06-281-8/+8
| | | | | | value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
* convert auth.c to new packet APIdjm2019-01-191-16/+10
| | | | with & ok markus@
* convert servconf.c to new packet APIdjm2019-01-191-2/+3
| | | | with & ok markus@
* begin landing remaining refactoring of packet parsing API, starteddjm2019-01-191-1/+4
| | | | | | | | | | | almost exactly six years ago. This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps. with & ok markus@
* include time.h for time(3)/nanosleep(2); from Ian McKellardjm2019-01-171-1/+2
|
* use path_absolute() for pathname checks; from Manoj Ampalamdjm2018-11-161-3/+3
|
* log certificate fingerprint in authentication success/failure messagedjm2018-09-121-9/+13
| | | | | | (previously we logged only key ID and CA key fingerprint). ok markus@
* s/wuth/with/ in commentmartijn2018-07-111-2/+2
|
* sshd: switch authentication to sshbuf API; ok djm@markus2018-07-091-18/+21
|
* permitlisten option for authorized_keys; ok markus@djm2018-06-061-3/+12
|
* make UID available as a %-expansion everywhere that the username isdjm2018-06-011-3/+5
| | | | | | | available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
* Do not ban PTY allocation when a sshd session is restricted becausedjm2018-05-251-1/+2
| | | | | | the user password is expired as it breaks password change dialog. regression in openssh-7.7 reported by Daniel Wagner
* add valid-before="[time]" authorized_keys option. A simple way ofdjm2018-03-121-5/+23
| | | | giving a key an expiry date. ok markus@
* switch over to the new authorized_keys options API and remove thedjm2018-03-031-5/+175
| | | | | | | | | legacy one. Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines. feedback and ok markus@
* move subprocess() so scp/sftp do not need uidswap.o; ok djm@markus2018-01-081-1/+154
|
* refactor channels.cdjm2017-09-121-1/+2
| | | | | | | | | | | | | | | | | | Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh. Explicitly pass "struct ssh" to all channels functions. Replace use of the legacy packet APIs in channels.c. Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later. ok markus@
* Move several subprocess-related functions from various locations todjm2017-08-181-95/+2
| | | | | | | misc.c. Extend subprocess() to offer a little more control over stdio disposition. feedback & ok dtucker@
* refactor authentication loggingdjm2017-06-241-18/+44
| | | | | | | optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@
* switch from Key typedef with struct sshkey; ok djm@markus2017-05-301-3/+3
|
* allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717djm2017-05-171-1/+2
|
* Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net,dtucker2016-12-151-2/+3
| | | | ok deraadt@
* unbreak DenyUsers; reported by henning@djm2016-11-081-2/+2
|
* Validate address ranges for AllowUser/DenyUsers at configuration loaddjm2016-11-061-6/+16
| | | | | | | | | time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match. Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
* remove ssh1 server code; ok djm@markus2016-08-131-6/+4
|
* Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward anddtucker2016-06-151-4/+3
| | | | | reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
* refactor canohost.c: move functions that cache results closer to thedjm2016-03-071-10/+131
| | | | | | | places that use them (authn and session code). After this, no state is cached in canohost.c feedback and ok markus@
* fix inverted logic that broke PermitRootLogin;djm2015-08-211-2/+2
| | | | reported by Mantas Mikulenas; ok markus@
* add prohibit-password as a synonymn for without-password, since thederaadt2015-08-061-2/+4
| | | | | | without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
* make handling of AuthorizedPrincipalsFile=none more consistentdjm2015-05-011-3/+2
| | | | with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
* don't leak validity of user in "too many authentication failures"djm2015-02-251-2/+3
| | | | disconnect message; reported by Sebastian Reitenbach
* Reduce use of <sys/param.h> and transition to <limits.h> throughout.deraadt2015-01-201-4/+4
| | | | ok djm markus
* Add FingerprintHash option to control algorithm used for keydjm2014-12-211-2/+3
| | | | | | | fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
* add RevokedHostKeys option for the clientdjm2014-12-041-33/+29
| | | | Allow textfile or KRL-based revocation of hostkeys.
* Add support for Unix domain socket forwarding. A remote TCP portmillert2014-07-151-2/+2
| | | | | | | | may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
* make the "Too many authentication failures" message include thedjm2014-07-031-1/+14
| | | | | user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
* make compiling against OpenSSL optional (make OPENSSL=no);markus2014-04-291-1/+5
| | | | | reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
* Standardise logging of supplemental information during userauth. Keysdjm2013-05-191-4/+26
| | | | | | | | | | and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too. Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
* bye, bye xfree(); ok markus@djm2013-05-171-8/+8
|
* Fix comment, from jfree.e1 at gmaildtucker2013-02-061-2/+2
|
* add support for Key Revocation Lists (KRLs). These are a compact way todjm2013-01-171-2/+13
| | | | | | | | represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option. feedback and ok markus@
* use correct string in error message; from rustybsd at gmx.frdtucker2012-12-141-3/+2
|
* Fixes logging of partial authentication when privsep is enableddjm2012-12-021-4/+8
| | | | | | | | | | | | | Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state. Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive. Fix multiple authentication when one of the methods is keyboard-interactive. ok markus@
* new sshd_config option AuthorizedKeysCommand to support fetchingdjm2012-10-301-15/+38
| | | | | | | | | authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option. patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.