History log of /openssh-portable/ (Results 126 - 150 of 10777)
Revision (<<< Hide revision tags) (Show revision tags >>>)Date Author Comments
(<<< Hide modified files)
(Show modified files >>>)
39e88aef30-Aug-2020 djm@openbsd.org

upstream: Add RCS IDs to the few files that are missing them; from

Pedro Martelletto

OpenBSD-Commit-ID: 39aa37a43d0c75ec87f1659f573d3b5867e4a3b3

7273024927-Aug-2020 dtucker@openbsd.org

upstream: Check that the addresses supplied to Match Address and

Match LocalAddress are valid when parsing in config-test mode. This will
catch address/mask mismatches before they cause

upstream: Check that the addresses supplied to Match Address and

Match LocalAddress are valid when parsing in config-test mode. This will
catch address/mask mismatches before they cause problems at runtime. Found by
Daniel Stocker, ok djm@

OpenBSD-Commit-ID: 2d0b10c69fad5d8fda4c703e7c6804935289378b

show more ...

2a3a982227-Aug-2020 jmc@openbsd.org

upstream: sentence fix; from pedro martelletto

OpenBSD-Commit-ID: f95b84a1e94e9913173229f3787448eea2f8a575

ce178be027-Aug-2020 Damien Miller

tweak back-compat for older libfido2

d6f45cdd27-Aug-2020 djm@openbsd.org

upstream: debug()-print a little info about FIDO-specific key

fields via "ssh-keygen -vyf /path/key"

OpenBSD-Commit-ID: cf315c4fe77db43947d111b00155165cb6b577cf

b969072c27-Aug-2020 djm@openbsd.org

upstream: skip a bit more FIDO token selection logic when only a

single token is attached.

with Pedro Martelletto

OpenBSD-Commit-ID: e4a324bd9814227ec1faa8cb619580e661cca9ac

744df42a27-Aug-2020 jmc@openbsd.org

upstream: tweak previous;

OpenBSD-Commit-ID: 92714b6531e244e4da401b2defaa376374e24be7

e324796426-Aug-2020 djm@openbsd.org

upstream: adapt to API changes

OpenBSD-Regress-ID: 5f147990cb67094fe554333782ab268a572bb2dd

bbcc858d26-Aug-2020 Damien Miller

degrade semi-gracefully when libfido2 is too old

9cbbdc1226-Aug-2020 djm@openbsd.org

upstream: dummy firmware needs to match API version numner crank (for

verify-required resident keys) even though it doesn't implement this feature

OpenBSD-Regress-ID: 86579ea2891e18

upstream: dummy firmware needs to match API version numner crank (for

verify-required resident keys) even though it doesn't implement this feature

OpenBSD-Regress-ID: 86579ea2891e18e822e204413d011b2ae0e59657

show more ...

c1e76c6426-Aug-2020 djm@openbsd.org

upstream: remove unreachable code I forgot to delete in r1.334

OpenBSD-Commit-ID: 9ed6078251a0959ee8deda443b9ae42484fd8b18

0caff05326-Aug-2020 djm@openbsd.org

upstream: Request PIN ahead of time for certain FIDO actions

When we know that a particular action will require a PIN, such as
downloading resident keys or generating a verify-required k

upstream: Request PIN ahead of time for certain FIDO actions

When we know that a particular action will require a PIN, such as
downloading resident keys or generating a verify-required key, request
the PIN before attempting it.

joint work with Pedro Martelletto; ok markus@

OpenBSD-Commit-ID: 863182d38ef075bad1f7d20ca485752a05edb727

show more ...

b649b3da26-Aug-2020 djm@openbsd.org

upstream: preserve verify-required for resident FIDO keys

When downloading a resident, verify-required key from a FIDO token,
preserve the verify-required in the private key that is writ

upstream: preserve verify-required for resident FIDO keys

When downloading a resident, verify-required key from a FIDO token,
preserve the verify-required in the private key that is written to
disk. Previously we weren't doing that because of lack of support
in the middleware API.

from Pedro Martelletto; ok markus@ and myself

OpenBSD-Commit-ID: 201c46ccdd227cddba3d64e1bdbd082afa956517

show more ...

642e06d026-Aug-2020 djm@openbsd.org

upstream: major rework of FIDO token selection logic

When PINs are in use and multiple FIDO tokens are attached to a host, we
cannot just blast requests at all attached tokens with the P

upstream: major rework of FIDO token selection logic

When PINs are in use and multiple FIDO tokens are attached to a host, we
cannot just blast requests at all attached tokens with the PIN specified
as this will cause the per-token PIN failure counter to increment. If
this retry counter hits the token's limit (usually 3 attempts), then the
token will lock itself and render all (web and SSH) of its keys invalid.
We don't want this.

So this reworks the key selection logic for the specific case of
multiple keys being attached. When multiple keys are attached and the
operation requires a PIN, then the user must touch the key that they
wish to use first in order to identify it.

This may require multiple touches, but only if there are multiple keys
attached AND (usually) the operation requires a PIN. The usual case of a
single key attached should be unaffected.

Work by Pedro Martelletto; ok myself and markus@

OpenBSD-Commit-ID: 637d3049ced61b7a9ee796914bbc4843d999a864

show more ...

801c9f0926-Aug-2020 djm@openbsd.org

upstream: support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that

upstream: support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.

feedback and ok markus@

OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6

show more ...

9b8ad93826-Aug-2020 djm@openbsd.org

upstream: support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
o

upstream: support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.

This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.

feedback markus@ and Pedro Martelletto; ok markus@

OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15

show more ...

1196d7f411-Aug-2020 cheloha@openbsd.org

upstream: ssh-keyscan(1): simplify conloop() with timercmp(3),

timersub(3); ok djm@

OpenBSD-Commit-ID: a102acb544f840d33ad73d40088adab4a687fa27

d0a195c811-Aug-2020 djm@openbsd.org

upstream: let ssh_config(5)'s AddKeysToAgent keyword accept a time

limit for keys in addition to its current flag options. Time-limited keys
will automatically be removed from ssh-agent

upstream: let ssh_config(5)'s AddKeysToAgent keyword accept a time

limit for keys in addition to its current flag options. Time-limited keys
will automatically be removed from ssh-agent after their expiry time has
passed; ok markus@

OpenBSD-Commit-ID: 792e71cacbbc25faab5424cf80bee4a006119f94

show more ...

e9c2002811-Aug-2020 djm@openbsd.org

upstream: let the "Confirm user presence for key ..." ssh-askpass

notification respect $SSH_ASKPASS_REQUIRE; ok markus@

OpenBSD-Commit-ID: 7c1a616b348779bda3b9ad46bf592741f8e206c1

eaf8672b20-Aug-2020 Darren Tucker

Remove check for 'ent' command.

It was added in 8d1fd57a9 for measuring entropy of ssh_prng_cmds which
has long since been removed and there are no other references to it.

05c215de17-Aug-2020 Darren Tucker

Wrap stdint.h include in ifdef HAVE_STDINT_H.

eaf2765e09-Aug-2020 Damien Miller

sync memmem.c with OpenBSD

ed6bef7707-Aug-2020 Darren Tucker

Always send any PAM account messages.

If the PAM account stack reaturns any messages, send them to the user
not just if the check succeeds. bz#2049, ok djm@

a09e98dc07-Aug-2020 Darren Tucker

Output test debug logs on failure.

eb122b1e07-Aug-2020 Darren Tucker

Add ability to specify exact test target.

12345678910>>...432