| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
| |
|
|
|
|
|
| |
selection of which key exchange methods are used by ssh(1) and sshd(8)
and their order of preference.
ok markus@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
better performance than plain DH and DSA at the same equivalent symmetric
key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the
three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be
subject to change.
feedback and ok markus@
|
| |
|
|
|
|
|
|
| |
ssh(1) multiplex master when connecting. This connection can stay alive
indefinitely, or can be set to automatically close after a user-specified
duration of inactivity. bz#1330 - patch by dwmw2 AT infradead.org, but
further hacked on by wmertens AT cisco.com, apb AT cequrux.com,
martin-mindrot-bugzilla AT earth.li and myself; "looks ok" markus@
|
| |
|
|
|
|
|
|
|
|
|
| |
authentication cookies to avoid fallback in X11 code to fully-trusted
implicit authentication using SO_PEERCRED described at:
http://lists.x.org/archives/xorg-devel/2010-May/008636.html
After the X11ForwardTimeout has expired the client will now refuse
incoming X11 channel opens.
based on patch from Tavis Ormandy; "nice" markus@
|
| |
|
|
| |
forwards per direction; ok markus@ stevesk@
|
| |
|
|
|
|
| |
use with
LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`
feedback and ok djm@
|
| |
|
|
|
|
|
|
|
| |
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
provider (shared library) while ssh-agent(1) delegates PKCS#11 to
a forked a ssh-pkcs11-helper process.
PKCS#11 is currently a compile time option.
feedback and ok djm@; inspired by patches from Alon Bar-Lev
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures
that trafic such as DNS lookups stays withing the specified routingdomain.
For example (from reyk):
# route -T 2 exec /usr/sbin/sshd
or inherited from the parent process
$ route -T 2 exec sh
$ ssh 10.1.2.3
ok deraadt@ markus@ stevesk@ reyk@
|
| |
|
|
|
|
|
|
|
| |
consistent with other options.
NOTE: if you currently use RDomain in the ssh client or server config,
or ssh/sshd -o, you must update to use RoutingDomain.
ok markus@ djm@
|
| |
|
|
| |
'Looks right' deraadt@
|
| |
|
|
| |
ok markus@
|
| |
|
|
| |
ok deraadt
|
| |
|
|
|
|
| |
control whether the client tries to use roaming if enabled on the
server. From Martin Forssen.
ok markus@
|
| |
|
|
|
| |
dyamically allocate a listen port at runtime (this is actually
specified in rfc4254); bz#1003 ok markus@
|
| |
|
|
|
|
|
|
|
|
|
| |
rather than 0, which it will now treat as valid (needed for future work)
adjust current consumers of a2port() to check its return value is <= 0,
which in turn required some things to be converted from u_short => int
make use of int vs. u_short consistent in some other places too
feedback & ok markus@
|
| |
|
|
|
|
|
|
| |
2) oUserKnownHostsFile not obsolete but oGlobalKnownHostsFile2 is
so move the comment.
3) reorder so like options are together
ok djm@
|
| |
|
|
|
|
| |
failure; avoids double-free in ~C -L handler when given an invalid
forwarding specification; bz#1539 report from adejong AT debian.org
via Colin Watson; ok markus@ dtucker@
|
| |
|
|
|
|
|
|
|
|
| |
and it malloc's space for host variables, we don't need to malloc
here. fixes small memory leaks.
previously dynamic forwards were not parsed in parse_forward() and
space was not malloc'd in that case.
ok djm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
method using the J-PAKE protocol described in F. Hao, P. Ryan,
"Password Authenticated Key Exchange by Juggling", 16th Workshop on
Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing
the password to the server. Instead, the client and server exchange
cryptographic proofs to demonstrate of knowledge of the password while
revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently
compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
CheckHostIP to an own config option named VisualHostKey.
While there, fix the behaviour that ssh would draw a random art picture
on every newly seen host even when the option was not enabled.
prodded by deraadt@, discussions,
help and ok markus@ djm@ dtucker@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
graphical hash visualization schemes known as "random art", and by
Dan Kaminsky's musings on the subject during a BlackOp talk at the
23C3 in Berlin.
Scientific publication (original paper):
"Hash Visualization: a New Technique to improve Real-World Security",
Perrig A. and Song D., 1999, International Workshop on Cryptographic
Techniques and E-Commerce (CrypTEC '99)
http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
The algorithm used here is a worm crawling over a discrete plane,
leaving a trace (augmenting the field) everywhere it goes.
Movement is taken from dgst_raw 2bit-wise. Bumping into walls
makes the respective movement vector be ignored for this turn,
thus switching to the other color of the chessboard.
Graphs are not unambiguous for now, because circles in graphs can be
walked in either direction.
discussions with several people,
help, corrections and ok markus@ djm@
|
| |
|
|
| |
of 2^32; report and patch from Jan.Pechanec AT Sun.COM, ok dtucker@
|
| |
|
|
| |
from Dmitry V. Levin, ok djm@
|
| |
|
|
| |
parsing -L; Jan Pechanec (bz #1378)
|
| |
|
|
| |
ok deraadt millert
|
| | |
|
| |
|
|
|
| |
ssh_config and ~/.ssh/config so they work properly with Host directives.
From mario.lorenz@wincor-nixdorf.com via bz #1275. ok markus@
|
| |
|
|
|
| |
ok djm, sort of ok stevesk
makes the pain stop in one easy step
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
cannot set up all requested dynamic, local, and remote port
forwardings. ok djm, dtucker, stevesk, jmc
|
| | |
|
| |
|
|
| |
Theo nuked - our scripts to sync -portable need them in the files
|
| | |
|
| |
|
|
| |
via elad AT netbsd.org; ok deraadt@
|
| | |
|
| | |
|
| |
|
|
|
| |
(the smallest of our cipher's blocksize) or big enough to cause integer
wraparound; ok & feedback dtucker@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
with the initial commit but is required for a portable approach.
- make the tunnel id u_int and platform friendly, use predefined types.
- support configuration of layer 2 (ethernet) or layer 3
(point-to-point, default) modes. configuration is done using the
Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and
restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option
in sshd_config(5).
ok djm@, man page bits by jmc@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections, e.g.
administrative tunnels or secure wireless access. It's based on a new
ssh channel and works similar to the existing TCP forwarding support,
except that it depends on the tun(4) network interface on both ends of
the connection for layer 2 or layer 3 tunneling. This diff also adds
support for LocalCommand in the ssh(1) client.
ok djm@, markus@, jmc@ (manpages), tested and discussed with others
|
| | |
|
| | |
|
| |
|
|
| |
tested avsm@ and jakob@, ok markus@
|
djm
markus
dtucker
stevesk
reyk
andreas
grunk
tedu
deraadt