summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/sshconnect2.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* wrap long linedjm2020-06-051-2/+3
|
* when ordering the hostkey algorithms to request from a server,djm2020-05-131-4/+16
| | | | | prefer certificate types if the known_hosts files contain a key marked as a @cert-authority; bz#3157 ok markus@
* fix reversed test that caused IdentitiesOnly=yes to not apply to keysdjm2020-04-171-2/+2
| | | | loaded from a PKCS11Provider; bz3141, ok dtucker@
* When using HostkeyAlgorithms to merely append or remove algorithmsdjm2020-02-061-15/+26
| | | | | | from the default set (i.e. HostkeyAlgorithms=+/-...), retain the default behaviour of preferring those algorithms that have existing keys in known_hosts; ok markus
* Replace "security key" with "authenticator" in program messages.naddy2020-02-061-6/+7
| | | | | | | This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key". ok djm@
* Make zlib optional. This adds a "ZLIB" build time option that allowsdtucker2020-01-231-3/+3
| | | | | building without zlib compression and associated options. With feedback from markus@, ok djm@
* Replace all calls to signal(2) with a wrapper around sigaction(2).dtucker2020-01-231-4/+4
| | | | | | This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
* Remove unsupported algorithms from list of defaults at run time anddtucker2020-01-231-4/+4
| | | | | | | | remove ifdef and distinct settings for OPENSSL=no case. This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@
* a little more verbosity in sign_and_send_pubkey() debug messagesdjm2020-01-211-3/+5
|
* close the "touch your security key" notifier on the error path toodjm2019-11-151-2/+2
|
* stdarg.h required more broadly; ok djmderaadt2019-11-131-1/+2
|
* security keys typically need to be tapped/touched in order to performdjm2019-11-121-1/+16
| | | | | | | a signature operation. Notify the user when this is expected via the TTY (if available) or $SSH_ASKPASS if we can. ok markus@
* enable ed25519 support; ok djmmarkus2019-11-121-8/+5
|
* Refactor signing - use sshkey_sign for everything, including the newdjm2019-10-311-14/+3
| | | | | | | | | | | U2F signatures. Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that. Suggested by / ok markus@
* ssh client support for U2F/FIDO keysdjm2019-10-311-25/+86
|
* Remove now-redundant perm_ok arg since sshkey_load_private_type willdtucker2019-08-051-3/+3
| | | | | now return SSH_ERR_KEY_BAD_PERMISSIONS in that case. Patch from jitendra.sharma at intel.com, ok djm@
* Remove some set but never used variables. ok daraadt@dtucker2019-07-071-5/+4
|
* When system calls indicate an error they return -1, not some arbitraryderaadt2019-06-281-10/+10
| | | | | | value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
* fix ssh-keysign fd handling problem introduced in r1.304 caused by a typodjm2019-05-311-2/+2
| | | | (STDIN_FILENO vs STDERR_FILENO)
* When doing the fork+exec'ing for ssh-keysign, rearrange the socketderaadt2019-05-151-7/+9
| | | | | into fd3, so as to not mistakenly leak other fd forward accidentally. ok djm
* fix regression in r1.302 reported by naddy@ - only the first publicdjm2019-02-121-5/+5
| | | | key from the agent was being attempted for use.
* cleanup GSSAPI authentication context after completion of thedjm2019-02-111-67/+88
| | | | | | | | authmethod. Move function-static GSSAPI state to the client Authctxt structure. Make static a bunch of functions that aren't used outside this file. Based on patch from Markus Schmidt <markus@blueflash.cc>; ok markus@
* merge kexkem[cs] into kexgendjm2019-01-211-9/+9
| | | | from markus@ ok djm@
* use KEM API for vanilla ECDHdjm2019-01-211-2/+2
| | | | from markus@ ok djm@
* use KEM API for vanilla DH KEXdjm2019-01-211-6/+6
| | | | from markus@ ok djm@
* use KEM API for vanilla c25519 KEXdjm2019-01-211-2/+2
|
* Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.orgdjm2019-01-211-1/+2
| | | | | | | | | using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default. introduce KEM API; a simplified framework for DH-ish KEX methods. from markus@ feedback & ok djm@
* GSSAPI code got missed when converting to new packet APIdjm2019-01-211-4/+4
|
* convert the remainder of sshconnect2.c to new packet APIdjm2019-01-191-49/+46
| | | | with & ok markus@
* convert sshconnect2.c to new packet APIdjm2019-01-191-13/+16
| | | | with & ok markus@
* begin landing remaining refactoring of packet parsing API, starteddjm2019-01-191-1/+4
| | | | | | | | | | | almost exactly six years ago. This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps. with & ok markus@
* eliminate function-static attempt counters for passwd/kbdintdjm2019-01-041-8/+10
| | | | | authmethods by moving them to the client authctxt; Patch from Markus Schmidt, ok markus@
* move client/server SSH-* banners to buffers under ssh->kex and factordjm2018-12-271-26/+23
| | | | | | | | | | | out the banner exchange. This eliminates some common code from the client and server. Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn). Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@
* don't truncate user or host name in "user@host's password: " prompts.djm2018-11-281-6/+5
| | | | requested by Marcel Logen; ok dtucker@
* fix bug in client that was keeping a redundant ssh-agent socket arounddjm2018-11-161-3/+5
| | | | | for the life of the connection; bz#2912; reported by Simon Tatham; ok dtucker@
* don't send new-style rsa-sha2-*-cert-v01@openssh.com names to olderdjm2018-10-111-2/+3
| | | | OpenSSH that can't handle them. spotted by Adam Eijdenberg; ok dtucker
* second try, deals properly with missing and private-only keys:djm2018-09-141-26/+53
| | | | | | | | | Use consistent format in debug log for keys readied, offered and received during public key authentication. This makes it a little easier to see what is going on, as each message now contains (where available) the key filename, its type and fingerprint, and whether the key is hosted in an agent or a token.
* revert following; deals badly with agent keysdjm2018-09-141-47/+26
| | | | | | | | | | | revision 1.285 date: 2018/09/14 04:17:12; author: djm; state: Exp; lines: +47 -26; commitid: lflGFcNb2X2HebaK; Use consistent format in debug log for keys readied, offered and received during public key authentication. This makes it a little easier to see what is going on, as each message now contains the key filename, its type and fingerprint, and whether the key is hosted in an agent or a token.
* Use consistent format in debug log for keys readied, offered anddjm2018-09-141-26/+47
| | | | | | | | received during public key authentication. This makes it a little easier to see what is going on, as each message now contains the key filename, its type and fingerprint, and whether the key is hosted in an agent or a token.
* revert compat.[ch] section of the following change. It causesdjm2018-08-131-8/+7
| | | | | | | | | | double-free under some circumstances. -- date: 2018/07/31 03:07:24; author: djm; state: Exp; lines: +33 -18; commitid: f7g4UI8eeOXReTPh; fix some memory leaks spotted by Coverity via Jakub Jelen in bz#2366 feedback and ok dtucker@
* fix some memory leaks spotted by Coverity via Jakub Jelen in bz#2366djm2018-07-311-7/+8
| | | | feedback and ok dtucker@
* Remove support for running ssh(1) setuid and fatal if attempted.dtucker2018-07-181-2/+1
| | | | | Do not link uidwap.c into ssh any more. Neuters UsePrivilegedPort, which will be marked as deprecated shortly. ok markus@ djm@
* Remove support for loading HostBasedAuthentication keys directly indtucker2018-07-161-7/+3
| | | | | ssh(1) and always use ssh-keysign. This removes one of the few remaining reasons why ssh(1) might be setuid. ok markus@
* treat ssh_packet_write_wait() errors as fatal; ok djm@markus2018-07-111-3/+3
|
* remove legacy key emulation layer; ok djm@markus2018-07-111-6/+6
|
* client: switch to sshbuf API; ok djm@markus2018-07-091-212/+277
|
* Revert previous two commitssf2018-07-091-2/+2
| | | | | | | | | | | | | | | | | | | | It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits: date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB Only delayed compression is supported nowadays. ok markus@ date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit. ok markus@
* Remove leftovers from pre-authentication compressionsf2018-07-061-2/+2
| | | | | | | Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit. ok markus@
* repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work -djm2018-07-041-4/+6
| | | | | | | | | | | | | returns ability to add/remove/specify algorithms by wildcard. Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected. Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation. (lots of) feedback, ok markus@
* some finesse to fix RSA-SHA2 certificate authentication for certsdjm2018-07-031-3/+6
| | | | hosted in ssh-agent
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.