History log of /openssh-portable/auth2-pubkey.c (Results 1 - 25 of 181)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# a47f6a6c 06-Feb-2020 naddy@openbsd.org

upstream: Replace "security key" with "authenticator" in program

messages.

This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator"

upstream: Replace "security key" with "authenticator" in program

messages.

This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator" and "authenticator-hosted key".

ok djm@

OpenBSD-Commit-ID: 7c63800e9c340c59440a054cde9790a78f18592e

show more ...


# 3bf2a6ac 23-Jan-2020 dtucker@openbsd.org

upstream: Replace all calls to signal(2) with a wrapper around

sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTA

upstream: Replace all calls to signal(2) with a wrapper around

sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which should reduce
the potential for short read/write operations.

OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519

show more ...


# 2e71263b 24-Nov-2019 djm@openbsd.org

upstream: add a "no-touch-required" option for authorized_keys and

a similar extension for certificates. This option disables the default
requirement that security key signatures attest

upstream: add a "no-touch-required" option for authorized_keys and

a similar extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched their
key to authorize them.

feedback deraadt, ok markus

OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e

show more ...


# 0fddf296 24-Nov-2019 djm@openbsd.org

upstream: Add a sshd_config PubkeyAuthOptions directive

This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested be

upstream: Add a sshd_config PubkeyAuthOptions directive

This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).

ok markus@

OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de

show more ...


# b7e74ea0 24-Nov-2019 djm@openbsd.org

upstream: Add new structure for signature options

This is populated during signature verification with additional fields
that are present in and covered by the signature. At the moment,

upstream: Add new structure for signature options

This is populated during signature verification with additional fields
that are present in and covered by the signature. At the moment, it is
only used to record security key-specific options, especially the flags
field.

with and ok markus@

OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49

show more ...


Revision tags: V_8_1_P1
# be02d7cb 06-Sep-2019 djm@openbsd.org

upstream: lots of things were relying on libcrypto headers to

transitively include various system headers (mostly stdlib.h); include them
explicitly

OpenBSD-Commit-ID: 5b522f4f2

upstream: lots of things were relying on libcrypto headers to

transitively include various system headers (mostly stdlib.h); include them
explicitly

OpenBSD-Commit-ID: 5b522f4f2d844f78bf1cc4f3f4cc392e177b2080

show more ...


# dd8002fb 03-Sep-2019 djm@openbsd.org

upstream: move advance_past_options to authfile.c and make it

public; ok markus@

OpenBSD-Commit-ID: edda2fbba2c5b1f48e60f857a2010479e80c5f3c


# c72d78cc 03-Sep-2019 djm@openbsd.org

upstream: move skip_space() to misc.c and make it public; ok

markus@

OpenBSD-Commit-ID: caa77e8a3b210948e29ad3e28c5db00852961eae


# 16dd8b2c 16-Jul-2019 djm@openbsd.org

upstream: remove mostly vestigal uuencode.[ch]; moving the only unique

functionality there (wrapping of base64-encoded data) to sshbuf functions;
feedback and ok markus@

OpenBSD

upstream: remove mostly vestigal uuencode.[ch]; moving the only unique

functionality there (wrapping of base64-encoded data) to sshbuf functions;
feedback and ok markus@

OpenBSD-Commit-ID: 4dba6735d88c57232f6fccec8a08bdcfea44ac4c

show more ...


# 4cd6b12c 20-Jun-2019 djm@openbsd.org

upstream: print the correct AuthorizedPrincipalsCommand rather than

an uninitialised variable; spotted by dtucker@

OpenBSD-Commit-ID: 02802018784250f68202f01c8561de82e17b0638


# c95b90d4 13-Jun-2019 djm@openbsd.org

upstream: for public key authentication, check AuthorizedKeysFiles

files before consulting AuthorizedKeysCommand; ok dtucker markus

OpenBSD-Commit-ID: 13652998bea5cb93668999c39c3c48

upstream: for public key authentication, check AuthorizedKeysFiles

files before consulting AuthorizedKeysCommand; ok dtucker markus

OpenBSD-Commit-ID: 13652998bea5cb93668999c39c3c48e8429db8b3

show more ...


# 30615295 19-May-2019 djm@openbsd.org

upstream: embiggen format buffer size for certificate serial number so

that it will fit a full 64 bit integer. bz#3012 from Manoel Domingues Junior

OpenBSD-Commit-ID: a51f3013056d05

upstream: embiggen format buffer size for certificate serial number so

that it will fit a full 64 bit integer. bz#3012 from Manoel Domingues Junior

OpenBSD-Commit-ID: a51f3013056d05b976e5af6b978dcb9e27bbc12b

show more ...


Revision tags: V_8_0_P1
# ff5d2cf4 22-Jan-2019 djm@openbsd.org

upstream: print the full pubkey being attempted at loglevel >=

debug2; bz2939

OpenBSD-Commit-ID: ac0fe5ca1429ebf4d460bad602adc96de0d7e290


Revision tags: V_7_9_P1
# 86e5737c 19-Sep-2018 djm@openbsd.org

upstream: Add sshd_config CASignatureAlgorithms option to allow

control over which signature algorithms a CA may use when signing
certificates. In particular, this allows a sshd to ban c

upstream: Add sshd_config CASignatureAlgorithms option to allow

control over which signature algorithms a CA may use when signing
certificates. In particular, this allows a sshd to ban certificates signed
with RSA/SHA1.

ok markus@

OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac

show more ...


# db8bb80e 28-Aug-2018 mestre@openbsd.org

upstream: fix misplaced parenthesis inside if-clause. it's harmless

and the only issue is showing an unknown error (since it's not defined)
during fatal(), if it ever an error occurs ins

upstream: fix misplaced parenthesis inside if-clause. it's harmless

and the only issue is showing an unknown error (since it's not defined)
during fatal(), if it ever an error occurs inside that condition.

OK deraadt@ markus@ djm@

OpenBSD-Commit-ID: acb0a8e6936bfbe590504752d01d1d251a7101d8

show more ...


Revision tags: V_7_8_P1
# 7fef173c 22-Aug-2018 djm@openbsd.org

upstream: memleak introduced in r1.83; from Colin Watson

OpenBSD-Commit-ID: 5c019104c280cbd549a264a7217b67665e5732dc


# 74287f5d 30-Jul-2018 djm@openbsd.org

upstream: delay bailout for invalid authentic

=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?=
=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20

upstream: delay bailout for invalid authentic

=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?=
=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?=
=?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d

show more ...


# 394a842e 11-Jul-2018 markus@openbsd.org

upstream: treat ssh_packet_write_wait() errors as fatal; ok djm@

OpenBSD-Commit-ID: f88ba43c9d54ed2d911218aa8d3f6285430629c3


# c7d39ac8 09-Jul-2018 markus@openbsd.org

upstream: sshd: switch authentication to sshbuf API; ok djm@

OpenBSD-Commit-ID: 880aa06bce4b140781e836bb56bec34873290641


# 4ba0d547 03-Jul-2018 djm@openbsd.org

upstream: Improve strictness and control over RSA-SHA2 signature

In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the s

upstream: Improve strictness and control over RSA-SHA2 signature

In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.

In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.

Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.

Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.

feedback and ok markus@

OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde

show more ...


# 7f906352 06-Jun-2018 markus@openbsd.org

upstream: switch config file parsing to getline(3) as this avoids

static limits noted by gerhard@; ok dtucker@, djm@

OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c


# 9c935dd9 31-May-2018 djm@openbsd.org

upstream: make UID available as a %-expansion everywhere that the

username is available currently. In the client this is via %i, in the server
%U (since %i was already used in the client

upstream: make UID available as a %-expansion everywhere that the

username is available currently. In the client this is via %i, in the server
%U (since %i was already used in the client in some places for this, but used
for something different in the server); bz#2870, ok dtucker@

OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95

show more ...


Revision tags: V_7_7_P1
# 7c856857 02-Mar-2018 djm@openbsd.org

upstream: switch over to the new authorized_keys options API and

remove the legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file li

upstream: switch over to the new authorized_keys options API and

remove the legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df

show more ...


# f1f047fb 07-Feb-2018 dtucker@openbsd.org

upstream commit

ssh_free checks for and handles NULL args, remove NULL
checks from remaining callers. ok djm@

OpenBSD-Commit-ID: bb926825c53724c069df68a93a2597f9192f7e7b


# 14b5c635 23-Jan-2018 djm@openbsd.org

upstream commit

Drop compatibility hacks for some ancient SSH
implementations, including ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and

upstream commit

Drop compatibility hacks for some ancient SSH
implementations, including ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

OpenBSD-Commit-ID: 4be81c67db57647f907f4e881fb9341448606138

show more ...


12345678