summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/auth.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* bye, bye xfree(); ok markus@djm2013-05-171-8/+8
|
* Fix comment, from jfree.e1 at gmaildtucker2013-02-061-2/+2
|
* add support for Key Revocation Lists (KRLs). These are a compact way todjm2013-01-171-2/+13
| | | | | | | | represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option. feedback and ok markus@
* use correct string in error message; from rustybsd at gmx.frdtucker2012-12-141-3/+2
|
* Fixes logging of partial authentication when privsep is enableddjm2012-12-021-4/+8
| | | | | | | | | | | | | Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state. Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive. Fix multiple authentication when one of the methods is keyboard-interactive. ok markus@
* new sshd_config option AuthorizedKeysCommand to support fetchingdjm2012-10-301-15/+38
| | | | | | | | | authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option. patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
* Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust testsdtucker2012-05-131-3/+4
| | | | to match. Feedback and ok djm@ markus@.
* Support "none" as an argument for AuthorizedPrincipalsFile to indicatedjm2012-04-111-2/+3
| | | | no file should be read.
* make secure_filename() spam debug logs lessdjm2011-05-231-6/+3
|
* allow AuthorizedKeysFile to specify multiple files, separated by spaces.djm2011-05-231-8/+2
| | | | | | | | | Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :) feedback and ok markus@ dtucker@
* remove support for authorized_keys2; it is a relic from the early daysdjm2011-05-111-7/+1
| | | | | of protocol v.2 support and has been undocumented for many years; ok markus@
* automatically order the hostkeys requested by the client based ondjm2010-11-291-12/+18
| | | | | | which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
* use strict_modes already passed as function argument over referencingdjm2010-11-231-2/+2
| | | | global options.strict_modes
* enable certificates for hostbased authentication, from Iain Morgan;djm2010-08-041-2/+2
| | | | "looks ok" markus@
* queue auth debug messages for bad ownership or permissions on the user'sdjm2010-06-221-1/+4
| | | | | | keyfiles. These messages will be sent after the user has successfully authenticated (where our client will display them with LogLevel=debug). bz#1554; ok dtucker@
* add some optional indirection to matching of principal names listeddjm2010-05-071-11/+30
| | | | | | | | | | | | | | | | | | | | | in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@
* make the warning for a revoked key louder and more noticabledjm2010-03-051-2/+3
|
* Add a TrustedUserCAKeys option to sshd_config to specify CA keys thatdjm2010-03-041-1/+30
| | | | | | | | | | | are trusted to authenticate users (in addition than doing it per-user in authorized_keys). Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication. feedback and ok markus@
* unbreak ChrootDirectory+internal-sftp by skipping check for executable shelldjm2010-02-091-36/+21
| | | | when chrooting; reported by danh AT wzrd.com; ok dtucker@
* when using ChrootDirectory, make sure we test for the existence of thedjm2010-01-131-3/+23
| | | | | user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; ok dtucker
* Fix a couple of typos/mispellings in commentsdtucker2010-01-131-2/+2
|
* Output a debug if we can't open an existing keyfile. bz#1694, ok djm@dtucker2010-01-101-2/+6
|
* need unistd.h for close() prototypedjm2008-11-041-1/+2
|
* Merge duplicate host key file checks, based in part on a patch from Robdtucker2008-07-021-2/+43
| | | | | Holland via bz #1348 . Also checks for non-regular files during protocol 1 RSA auth. ok djm@
* unifdef -DBSD_AUTHdjm2007-09-211-5/+1
| | | | | | | unifdef -USKEY These options have been in use for some years; ok markus@ "no objection" millert@
* missed include bits from last commitdjm2007-08-231-1/+2
|
* unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@djm2007-08-231-5/+1
|
* almost entirely get rid of the culture of ".h files that include .h files"deraadt2006-08-031-6/+7
| | | | | ok djm, sort of ok stevesk makes the pain stop in one easy step
* move #include <stdio.h> out of includes.hstevesk2006-08-011-1/+2
|
* move #include <sys/param.h> out of includes.hstevesk2006-07-261-1/+2
|
* move #include <string.h> out of includes.hstevesk2006-07-221-1/+2
|
* Add support for conditional directives to sshd_config via a "Match" keyword,dtucker2006-07-121-1/+4
| | | | | | | | | | | | | | | | | which works similarly to the "Host" directive in ssh_config. Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no will allow port forwarding by all users except "anoncvs". Currently only a very small subset of directives are supported. ok djm@
* move #include <errno.h> out of includes.h; ok markus@stevesk2006-07-111-1/+2
|
* move #include <stdarg.h> out of includes.h; ok markus@stevesk2006-07-101-1/+2
|
* move #include <pwd.h> out of includes.h; ok markus@stevesk2006-07-061-1/+2
|
* Prevent duplicate log messages when privsep=yes; ok djm@dtucker2006-03-301-1/+6
|
* Put $OpenBSD$ tags back (as comments) to replace the RCSID()s thatdjm2006-03-251-0/+1
| | | | Theo nuked - our scripts to sync -portable need them in the files
* introduce xcalloc() and xasprintf() failure-checked allocations functionsdjm2006-03-251-7/+5
| | | | | | | | | | and use them throughout openssh xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die feedback and ok deraadt@
* in a switch (), break after return or goto is stupidderaadt2006-03-201-1/+0
|
* RCSID() can diederaadt2006-03-191-1/+0
|
* move #include <sys/stat.h> out of includes.h; ok markus@stevesk2006-02-201-1/+4
|
* move #include <paths.h> out of includes.h; ok markus@stevesk2006-02-081-1/+2
|
* make this -Wsign-compare clean; ok avsm@ markus@djm2005-06-171-2/+2
|
* introduce a generic %foo expansion function. replace existing % expansion anddjm2005-06-061-41/+18
| | | | add expansion to ControlPath; ok markus@
* Populate host for log message for logins denied by AllowUsers and DenyUsers.dtucker2005-03-141-2/+3
| | | | (bz #999); ok markus@
* Log source of connections denied by AllowUsers, DenyUsers, AllowGroups anddtucker2005-01-221-11/+14
| | | | DenyGroups. bz #909, ok djm@
* more s/illegal/invalid/markus2004-07-281-2/+2
|
* s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...markus2004-07-211-2/+2
|
* Add MaxAuthTries sshd config option; ok markus@dtucker2004-05-231-2/+2
|
* improve some code lint did not like; djm millert okderaadt2004-05-111-3/+3
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.