summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/auth.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* highly polished whitespace, mostly fixing spaces-for-tab and baddjm2021-04-031-2/+2
| | | | indentation on continuation lines. Prompted by GHPR#185
* move subprocess() from auth.c to misc.cdjm2020-12-221-153/+1
| | | | | | | | | | make privilege dropping optional but allow it via callbacks (to avoid need to link uidswap.c everywhere) add some other flags (keep environment, disable strict path safety check) that make this more useful for client-side use. feedback & ok markus@
* load_hostkeys()/hostkeys_foreach() variants for FILE*djm2020-12-201-3/+3
| | | | | | | | | | | | | | | Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly. Original load_hostkeys() and hostkeys_foreach() are implemented using these new interfaces. Add a u_int note field to the hostkey_entry and hostkey_foreach_line structs that is passed directly from the load_hostkeys() and hostkeys_foreach() call. This is a lightweight way to annotate results between different invocations of load_hostkeys(). ok markus@
* use the new variant log macros instead of prepending __func__ anddjm2020-10-181-20/+18
| | | | appending ssh_err(r) manually; ok markus@
* LogVerbose keyword for ssh and sshddjm2020-10-161-1/+5
| | | | | | | Allows forcing maximum debug logging by file/function/line pattern- lists. ok markus@
* support for requiring user verified FIDO keys in sshddjm2020-08-271-4/+5
| | | | | | | | | | | This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it. feedback and ok markus@
* Add a sshd_config "Include" directive to allow inclusion of files.djm2020-01-311-2/+3
| | | | | | This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
* Replace all calls to signal(2) with a wrapper around sigaction(2).dtucker2020-01-231-2/+2
| | | | | | This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
* strdup may return NULL if memory allocation fails. Use the safer xstrduptobhe2019-12-161-7/+7
| | | | | | which fatals on allocation failures. ok markus@
* add a "no-touch-required" option for authorized_keys and a similardjm2019-11-251-3/+4
| | | | | | | | extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus
* potential NULL dereference for revoked hostkeys; reported bydjm2019-10-161-2/+2
| | | | krishnaiah bommu
* remove some duplicate #includesdjm2019-10-021-2/+1
|
* lots of things were relying on libcrypto headers to transitivelydjm2019-09-061-1/+2
| | | | | include various system headers (mostly stdlib.h); include them explicitly
* When system calls indicate an error they return -1, not some arbitraryderaadt2019-06-281-8/+8
| | | | | | value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
* convert auth.c to new packet APIdjm2019-01-191-16/+10
| | | | with & ok markus@
* convert servconf.c to new packet APIdjm2019-01-191-2/+3
| | | | with & ok markus@
* begin landing remaining refactoring of packet parsing API, starteddjm2019-01-191-1/+4
| | | | | | | | | | | almost exactly six years ago. This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps. with & ok markus@
* include time.h for time(3)/nanosleep(2); from Ian McKellardjm2019-01-171-1/+2
|
* use path_absolute() for pathname checks; from Manoj Ampalamdjm2018-11-161-3/+3
|
* log certificate fingerprint in authentication success/failure messagedjm2018-09-121-9/+13
| | | | | | (previously we logged only key ID and CA key fingerprint). ok markus@
* s/wuth/with/ in commentmartijn2018-07-111-2/+2
|
* sshd: switch authentication to sshbuf API; ok djm@markus2018-07-091-18/+21
|
* permitlisten option for authorized_keys; ok markus@djm2018-06-061-3/+12
|
* make UID available as a %-expansion everywhere that the username isdjm2018-06-011-3/+5
| | | | | | | available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
* Do not ban PTY allocation when a sshd session is restricted becausedjm2018-05-251-1/+2
| | | | | | the user password is expired as it breaks password change dialog. regression in openssh-7.7 reported by Daniel Wagner
* add valid-before="[time]" authorized_keys option. A simple way ofdjm2018-03-121-5/+23
| | | | giving a key an expiry date. ok markus@
* switch over to the new authorized_keys options API and remove thedjm2018-03-031-5/+175
| | | | | | | | | legacy one. Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines. feedback and ok markus@
* move subprocess() so scp/sftp do not need uidswap.o; ok djm@markus2018-01-081-1/+154
|
* refactor channels.cdjm2017-09-121-1/+2
| | | | | | | | | | | | | | | | | | Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh. Explicitly pass "struct ssh" to all channels functions. Replace use of the legacy packet APIs in channels.c. Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later. ok markus@
* Move several subprocess-related functions from various locations todjm2017-08-181-95/+2
| | | | | | | misc.c. Extend subprocess() to offer a little more control over stdio disposition. feedback & ok dtucker@
* refactor authentication loggingdjm2017-06-241-18/+44
| | | | | | | optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@
* switch from Key typedef with struct sshkey; ok djm@markus2017-05-301-3/+3
|
* allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717djm2017-05-171-1/+2
|
* Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net,dtucker2016-12-151-2/+3
| | | | ok deraadt@
* unbreak DenyUsers; reported by henning@djm2016-11-081-2/+2
|
* Validate address ranges for AllowUser/DenyUsers at configuration loaddjm2016-11-061-6/+16
| | | | | | | | | time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match. Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version)
* remove ssh1 server code; ok djm@markus2016-08-131-6/+4
|
* Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward anddtucker2016-06-151-4/+3
| | | | | reverse DNS not matching. We haven't supported IP-based auth methods for a very long time so it's now misleading. part of bz#2585, ok markus@
* refactor canohost.c: move functions that cache results closer to thedjm2016-03-071-10/+131
| | | | | | | places that use them (authn and session code). After this, no state is cached in canohost.c feedback and ok markus@
* fix inverted logic that broke PermitRootLogin;djm2015-08-211-2/+2
| | | | reported by Mantas Mikulenas; ok markus@
* add prohibit-password as a synonymn for without-password, since thederaadt2015-08-061-2/+4
| | | | | | without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
* make handling of AuthorizedPrincipalsFile=none more consistentdjm2015-05-011-3/+2
| | | | with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
* don't leak validity of user in "too many authentication failures"djm2015-02-251-2/+3
| | | | disconnect message; reported by Sebastian Reitenbach
* Reduce use of <sys/param.h> and transition to <limits.h> throughout.deraadt2015-01-201-4/+4
| | | | ok djm markus
* Add FingerprintHash option to control algorithm used for keydjm2014-12-211-2/+3
| | | | | | | fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
* add RevokedHostKeys option for the clientdjm2014-12-041-33/+29
| | | | Allow textfile or KRL-based revocation of hostkeys.
* Add support for Unix domain socket forwarding. A remote TCP portmillert2014-07-151-2/+2
| | | | | | | | may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
* make the "Too many authentication failures" message include thedjm2014-07-031-1/+14
| | | | | user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199, ok dtucker
* make compiling against OpenSSL optional (make OPENSSL=no);markus2014-04-291-1/+5
| | | | | reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
* Standardise logging of supplemental information during userauth. Keysdjm2013-05-191-4/+26
| | | | | | | | | | and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too. Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.