| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
authentication cookies to avoid fallback in X11 code to fully-trusted
implicit authentication using SO_PEERCRED described at:
http://lists.x.org/archives/xorg-devel/2010-May/008636.html
After the X11ForwardTimeout has expired the client will now refuse
incoming X11 channel opens.
based on patch from Tavis Ormandy; "nice" markus@
|
| | |
|
| |
|
|
| |
ok deraadt markus
|
| | |
|
| |
|
|
| |
implies ", " is acceptable as a separator, which it's not. ok djm@
|
| |
|
|
| |
they are present; feedback and ok jmc@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
provider (shared library) while ssh-agent(1) delegates PKCS#11 to
a forked a ssh-pkcs11-helper process.
PKCS#11 is currently a compile time option.
feedback and ok djm@; inspired by patches from Alon Bar-Lev
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures
that trafic such as DNS lookups stays withing the specified routingdomain.
For example (from reyk):
# route -T 2 exec /usr/sbin/sshd
or inherited from the parent process
$ route -T 2 exec sh
$ ssh 10.1.2.3
ok deraadt@ markus@ stevesk@ reyk@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
consistent with other options.
NOTE: if you currently use RDomain in the ssh client or server config,
or ssh/sshd -o, you must update to use RoutingDomain.
ok markus@ djm@
|
| |
|
|
| |
try to abuse it.
|
| |
|
|
| |
ok markus@
|
| | |
|
| |
|
|
| |
ok deraadt
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
method using the J-PAKE protocol described in F. Hao, P. Ryan,
"Password Authenticated Key Exchange by Juggling", 16th Workshop on
Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing
the password to the server. Instead, the client and server exchange
cryptographic proofs to demonstrate of knowledge of the password while
revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently
compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
| | |
|
| |
|
|
|
|
| |
the remote machine.' for RemoteForward just like ssh.1 -R.
ok djm@ jmc@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
CheckHostIP to an own config option named VisualHostKey.
While there, fix the behaviour that ssh would draw a random art picture
on every newly seen host even when the option was not enabled.
prodded by deraadt@, discussions,
help and ok markus@ djm@ dtucker@
|
| | |
|
| | |
|
| |
|
|
| |
spotted by naddy@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
graphical hash visualization schemes known as "random art", and by
Dan Kaminsky's musings on the subject during a BlackOp talk at the
23C3 in Berlin.
Scientific publication (original paper):
"Hash Visualization: a New Technique to improve Real-World Security",
Perrig A. and Song D., 1999, International Workshop on Cryptographic
Techniques and E-Commerce (CrypTEC '99)
http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
The algorithm used here is a worm crawling over a discrete plane,
leaving a trace (augmenting the field) everywhere it goes.
Movement is taken from dgst_raw 2bit-wise. Bumping into walls
makes the respective movement vector be ignored for this turn,
thus switching to the other color of the chessboard.
Graphs are not unambiguous for now, because circles in graphs can be
walked in either direction.
discussions with several people,
help, corrections and ok markus@ djm@
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
patch from dkg AT fifthhorseman.net
|
| | |
|
| |
|
|
| |
since groff has trouble handling wide lines;
|
| |
|
|
|
|
|
|
|
|
| |
specify umac-64@openssh.com). Provides about 20% end-to-end speedup
compared to hmac-md5. Represents a different approach to message
authentication to that of HMAC that may be beneficial if HMAC based on one
of its underlying hash algorithms is found to be vulnerable to a new attack.
http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
| | |
|
| |
|
|
|
| |
this is actually part of a larger report sent by eric s. raymond
and forwarded by brad, but i only read half of it. spotted by brad.
|
| |
|
|
|
| |
originally spotted by alan amesbury;
ok deraadt
|
| |
|
|
|
| |
cannot set up all requested dynamic, local, and remote port
forwardings. ok djm, dtucker, stevesk, jmc
|
| |
|
|
| |
jmc@
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
on a patch by imaging AT math.ualberta.ca; feedback and ok dtucker@
|
| | |
|
| |
|
|
| |
quotes. mindrot #482, man page help from jmc@, ok djm@
|
| | |
|
| | |
|
jmc
djm
dtucker
markus
stevesk
reyk
naddy
krw
grunk
pvalchev