summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/ssh-keyscan.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Replace calls to ssh_malloc_init() by a static init of malloc_options.otto2019-06-061-2/+1
| | | | Prepares for changes in the way malloc is initialized. ok guenther@ dtucker@
* make ssh-keyscan return a non-zero exit status if it finds no keys.djm2019-01-261-2/+6
| | | | bz#2903
* merge kexkem[cs] into kexgendjm2019-01-211-9/+9
| | | | from markus@ ok djm@
* use KEM API for vanilla ECDHdjm2019-01-211-2/+2
| | | | from markus@ ok djm@
* use KEM API for vanilla DH KEXdjm2019-01-211-6/+6
| | | | from markus@ ok djm@
* use KEM API for vanilla c25519 KEXdjm2019-01-211-2/+2
|
* Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.orgdjm2019-01-211-1/+2
| | | | | | | | | using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default. introduce KEM API; a simplified framework for DH-ish KEX methods. from markus@ feedback & ok djm@
* switch config file parsing to getline(3) as this avoids static limitsmarkus2018-06-061-7/+5
| | | | noted by gerhard@; ok dtucker@, djm@
* apply a lick of paint; tweaks/ok dtuckerjmc2018-03-021-2/+2
|
* Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures)markus2018-02-231-2/+10
| | | | | | | The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@
* Add ssh-keyscan -D option to make it print its results in SSHFP formatdjm2018-02-231-4/+16
| | | | bz#2821, ok dtucker@
* Add monotime_ts and monotime_tv that return monotonic timespec anddtucker2017-11-251-4/+4
| | | | | | | timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@
* Only call close once in confree(). ssh_packet_close will close the FDdtucker2017-06-301-3/+3
| | | | | so only explicitly close non-SSH channels. bz#2734, from bagajjal at microsoft.com, ok djm@
* remove now obsolete ctx from ssh_dispatch_run; ok djm@markus2017-05-311-2/+2
|
* obliterate ssh1.h and some dead code that used itdjm2017-04-301-2/+1
| | | | ok markus@
* remove KEY_RSA1djm2017-04-301-36/+28
| | | | ok markus@
* remove compat20/compat13/compat15 variablesdjm2017-04-301-2/+1
| | | | ok markus@
* unifdef WITH_SSH1djm2017-04-301-58/+1
| | | | ok markus@
* ensure hostname is lower-case before hashing it; bz#2591 reported bydjm2017-03-101-1/+2
| | | | Griff Miller II; ok dtucker@
* correctly hash hosts with a port number. Reported by Josh Powers indjm2017-03-101-6/+7
| | | | bz#2692; ok dtucker@
* Avoid confusing error message when attempting to use ssh-keyscan builtdjm2017-01-061-2/+6
| | | | without SSH protocol v.1 to scan for v.1 keys; bz#2583
* add support for additional fixed DH groups fromdjm2016-05-021-1/+4
| | | | | | | | | | | draft-ietf-curdle-ssh-kex-sha2-03 diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group) based on patch from Mark D. Baushke and Darren Tucker ok markus@
* Add a function to enable security-related malloc_options. With and okdtucker2016-02-151-1/+2
| | | | deraadt@, something similar has been in the snaps for a while.
* -c before -H, in SYNOPSIS and usage();jmc2015-11-081-2/+2
|
* Add "ssh-keyscan -c ..." flag to allow fetching certificates insteaddjm2015-11-081-10/+37
| | | | of plain keys; ok markus@
* fix keyscan output for multiple hosts/addrs on one line whendjm2015-10-241-6/+21
| | | | host hashing or a non standard port is in use; bz#2479 ok dtucker@
* include port number if a non-default one has been specified;djm2015-04-101-3/+6
| | | | based on patch from Michael Handler
* Do not use int for sig_atomic_t; spotted by christos@netbsd; ok markus@miod2015-04-051-2/+2
|
* set a timeout to prevent hangs when talking to busted servers;djm2015-01-301-1/+2
| | | | ok markus@
* avoid more fatal/exit in the packet.c paths that ssh-keyscandjm2015-01-301-2/+3
| | | | uses; feedback and "looks good" markus@
* avoid fatal() calls in packet codedjm2015-01-281-3/+5
| | | | | makes ssh-keyscan more reliable against server failures ok dtucker@ markus@
* Reduce use of <sys/param.h> and transition to <limits.h> throughout.deraadt2015-01-201-2/+1
| | | | ok djm markus
* switch ssh-keyscan from setjmp to multiple ssh transport layer instancesmarkus2015-01-191-68/+81
| | | | ok djm@
* adapt kex to sshbuf and struct ssh; ok djm@markus2015-01-191-6/+8
|
* explicitly include sys/param.h in files that use the howmany() macro;djm2014-12-111-1/+2
| | | | from portable
* make compiling against OpenSSL optional (make OPENSSL=no);markus2014-04-291-1/+7
| | | | | reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
* disable weak proposals in sshd, but keep them in ssh; ok djm@markus2014-03-271-1/+2
|
* scan for Ed25519 keys by default toodjm2014-03-121-2/+2
|
* support ed25519 keys (hostkeys and user identities) using the public domainmarkus2013-12-061-5/+11
| | | | | ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
* use curve25519 for default key exchange (curve25519-sha256@libssh.org);markus2013-11-021-1/+2
| | | | initial patch from Aris Adamantiadis; ok djm@
* bye, bye xfree(); ok markus@djm2013-05-171-8/+8
|
* now that sshd defaults to offering ECDSA keys, ssh-keyscan should alsodjm2012-04-111-2/+2
| | | | look for them by default; bz#1971
* use timerclear macrookan2011-03-151-2/+2
| | | | ok djm@
* handle ecdsa-sha2 with various key lengths; hint and ok djm@otto2011-01-041-3/+4
|
* Implement Elliptic Curve Cryptography modes for key exchange (ECDH) anddjm2010-08-311-4/+9
| | | | | | | | | | | | | | | | | host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
* replace verbose and overflow-prone Linebuf code with read_keyfile_line()djm2010-06-221-129/+36
| | | | based on patch from joachim AT joachimschipper.nl; bz#1565; ok dtucker@
* Remove RoutingDomain from ssh since it's now not needed. It can be replaceddtucker2010-01-091-15/+4
| | | | | | | | | | | | | with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures that trafic such as DNS lookups stays withing the specified routingdomain. For example (from reyk): # route -T 2 exec /usr/sbin/sshd or inherited from the parent process $ route -T 2 exec sh $ ssh 10.1.2.3 ok deraadt@ markus@ stevesk@ reyk@
* validate routing domain is in range 0-RT_TABLEID_MAX.stevesk2009-12-251-4/+6
| | | | 'Looks right' deraadt@
* Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.reyk2009-10-281-4/+13
| | | | ok markus@
* make a2port() return -1 when it encounters an invalid port numberdjm2009-01-221-2/+2
| | | | | | | | | | | rather than 0, which it will now treat as valid (needed for future work) adjust current consumers of a2port() to check its return value is <= 0, which in turn required some things to be converted from u_short => int make use of int vs. u_short consistent in some other places too feedback & ok markus@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.