summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/authfd.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* constify a few things; ok dtucker (as part of another diff)djm2020-06-261-3/+3
|
* Allow forwarding a different agent socket to the path specified bydjm2019-12-211-1/+2
| | | | | | | | $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no. Patch by Eric Chiang, manpage by me; ok markus@
* add new agent key constraint for U2F/FIDO providerdjm2019-10-311-2/+4
| | | | feedback & ok markus@
* authfd: add function to check if key is in agentdjm2019-09-031-1/+2
| | | | | | | This commit adds a helper function which allows the caller to check if a given public key is present in ssh-agent. work by Sebastian Kinne; ok markus@
* Add protection for private keys at rest in RAM against speculationdjm2019-06-211-2/+2
| | | | | | | | | | | | | | | | | | | | | | | and memory sidechannel attacks like Spectre, Meltdown, Rowhammer and Rambleed. This change encrypts private keys when they are not in use with a symmetic key that is derived from a relatively large "prekey" consisting of random data (currently 16KB). Attackers must recover the entire prekey with high accuracy before they can attempt to decrypt the shielded private key, but the current generation of attacks have bit error rates that, when applied cumulatively to the entire prekey, make this unlikely. Implementation-wise, keys are encrypted "shielded" when loaded and then automatically and transparently unshielded when used for signatures or when being saved/serialised. Hopefully we can remove this in a few years time when computer architecture has become less unsafe. been in snaps for a bit already; thanks deraadt@ ok dtucker@ deraadt@
* remove prototype to long-gone functiondjm2018-07-121-3/+1
|
* Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures)markus2018-02-231-2/+3
| | | | | | | The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@
* constify some private key-related functions; based ondjm2018-02-101-2/+2
| | | | https://github.com/openssh/openssh-portable/pull/56 by Vincent Brillault
* Allow ssh-keygen to use a key held in ssh-agent as a CA when signingdjm2017-06-281-2/+2
| | | | certificates. bz#2377 ok markus
* more simplification and removal of SSHv1-related code; ok djm@naddy2017-05-051-3/+2
|
* implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)markus2015-12-041-2/+4
| | | | | based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
* move authfd.c and its tentacles to the new buffer/key API;djm2015-01-141-32/+28
| | | | ok markus@
* Do not fall back to adding keys without contraints (ssh-add -c / -t ...)djm2009-08-271-2/+1
| | | | | | | | when the agent refuses the constrained add request. This was a useful migration measure back in 2002 when constraints were new, but just adds risk now. bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@
* almost entirely get rid of the culture of ".h files that include .h files"deraadt2006-08-031-3/+1
| | | | | ok djm, sort of ok stevesk makes the pain stop in one easy step
* standardise spacing in $OpenBSD$ tags; requested by deraadt@djm2006-03-251-1/+1
|
* unexpand and delete whitespace at EOL; ok markus@djm2003-11-211-2/+2
|
* make agent constraints (lifetime, confirm) work with smartcard keys; ok markus@djm2003-06-111-2/+4
|
* ssh-add -c, prompt user for confirmation (using ssh-askpass) whenmarkus2003-01-231-2/+4
| | | | private agent key is used; with djm@; test by dugsong@, djm@; ok deraadt@
* don't connect to agent to test for presence if we've previouslystevesk2002-09-111-1/+2
| | | | connected; ok markus@
* KNF done automatically while reading....deraadt2002-06-191-11/+11
|
* remove the CONSTRAIN_IDENTITY messages and introduce a newmarkus2002-06-151-5/+5
| | | | | ADD_ID message with contraints instead. contraints can be only added together with the private key.
* fix stupid typomarkus2002-06-151-5/+5
|
* break agent key lifetime protocol and allow other contraints for key usage.markus2002-06-151-5/+7
|
* ssh-add -t life, Set lifetime (in seconds) when adding identities; ok provos@markus2002-06-051-1/+6
|
* ssh-add -x for lock and -X for unlocking the agent.markus2002-06-051-1/+6
| | | | todo: encrypt private keys with locked...
* Add PIN-protection for secret key.rees2002-03-211-2/+2
|
* $OpenBSD$ and RCSID() cleanup: don't use RCSID() in .h files; addstevesk2002-03-041-2/+2
| | | | | missing RCSID() to .c files and remove dup /*$OpenBSD$*/ from .c files. ok markus@
* signed vs. unsigned: make size arguments u_int, ok stevesk@markus2002-02-241-3/+3
|
* extended failure messages from galb@vandyke.commarkus2001-08-071-1/+4
|
* use strings instead of ints for smartcard reader idsmarkus2001-08-011-3/+3
|
* remove comments from .h, since they are cut&paste from the .c filesmarkus2001-06-261-73/+12
| | | | and out of sync
* prototype pedant. not very creative...itojun2001-06-261-20/+14
| | | | | - () -> (void) - no variable names
* initial support for smartcards in the agentmarkus2001-06-261-2/+8
|
* fix prototypes; from stevesk@pobox.commarkus2000-12-201-3/+3
|
* replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'markus2000-12-191-6/+6
| | | | with u_char.
* add support for RSA to SSH2. please test.markus2000-11-121-1/+6
| | | | | | | | | | | | | | | there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2. you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys. SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before. IdentityFile2, HostDsaKey and DSAAuthentication are obsolete. you can use multiple IdentityFile and HostKey for all types of keys. the option DSAAuthentication is replaced by PubkeyAuthetication.
* interop with ssh-agent2, from <res@shore.net>markus2000-10-091-1/+5
|
* bug compat for old ssh.com softwaremarkus2000-09-211-1/+4
|
* cleanup copyright notices on all files. I have attempted to be accurate withderaadt2000-09-071-8/+6
| | | | | | | the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate.
* add SSH2/DSA support to the agent and some other DSA related cleanups.markus2000-08-191-27/+26
| | | | (note that we cannot talk to ssh.com's ssh2 agents)
* make ssh-add accept dsa keys (the agent does not)markus2000-07-161-2/+12
|
* OpenBSD tagmarkus2000-06-201-1/+1
|
* whitespace cleanupmarkus2000-04-141-11/+11
|
* KNF, final part 3markus1999-11-241-33/+49
|
* much more KNFderaadt1999-11-241-44/+45
|
* the keysize of rsa-parameter 'n' is passed implizit,markus1999-11-151-4/+4
| | | | a few more checks and warnings about 'pretended' keysizes.
* fix old connect() race security-bug for ssh-agent and agent-forwardingmarkus1999-10-141-10/+3
| | | | | | | | | | by removing the connect() junk, with the following restrictions: 1) change the version to "OpenSSH-1.1": agent-forwarding will work only between OpenSSH-1.1 client and OpenSSH-1.1 server 2) renamed the environment variable of OpenSSH-1.1 to "SSH_AUTH_SOCKET", since useing OpenSSH-1.0 ssh-add against the new ssh-agent does not work
* convert all uses of gmp to SSL bignumprovos1999-09-281-6/+6
| | | | | | convert all used of rsa to SSL rsa functions remove all use of randomstate to OpenBSD arc4random() and arc4_stir() all this done at a long long night in Canada.
* i bet a lot of people didn't know what ssh 1.2.16 had a nice license.deraadt1999-09-261-0/+109
well, except for the patent issues. someone in sweden (forget their name at the moment) cleaned out most of the patented code, and now this code removes rsa code. when this is done, it will link against libssl, but the work isn't completely done yet. then we need to bring this up to modern days, featurewise.
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.