History log of /openssh-portable/auth2-pubkey.c (Results 1 – 25 of 110)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
Revision tags: V_8_6_P1
# 31d8d231 03-Apr-2021 djm@openbsd.org

upstream: highly polished whitespace, mostly fixing spaces-for-tab

and bad indentation on continuation lines. Prompted by GHPR#185

OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9


Revision tags: V_8_5_P1
# 39be3dc2 27-Jan-2021 djm@openbsd.org

upstream: make ssh->kex->session_id a sshbuf instead of u_char*/size_t

and use that instead of global variables containing copies of it. feedback/ok
markus@

OpenBSD-Commit-ID: a4b1b1ca4afd2e37cb9f6

upstream: make ssh->kex->session_id a sshbuf instead of u_char*/size_t

and use that instead of global variables containing copies of it. feedback/ok
markus@

OpenBSD-Commit-ID: a4b1b1ca4afd2e37cb9f64f737b30a6a7f96af68

show more ...


# 3b44f251 25-Jan-2021 djm@openbsd.org

upstream: move check_host_cert() from sshconnect,c to sshkey.c and

refactor it to make it more generally usable and testable.

ok markus@

OpenBSD-Commit-ID: 536f489f5ff38808c1fa711ba58d4579b636f9e4


# ee9c0da8 21-Jan-2021 dtucker@openbsd.org

upstream: Rename PubkeyAcceptedKeyTypes keyword to

PubkeyAcceptedAlgorithms. While the two were originally equivalent, this
actually specifies the signature algorithms that are accepted. Some key
t

upstream: Rename PubkeyAcceptedKeyTypes keyword to

PubkeyAcceptedAlgorithms. While the two were originally equivalent, this
actually specifies the signature algorithms that are accepted. Some key
types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512)
so the old name is becoming increasingly misleading. The old name is
retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@

OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5

show more ...


# a34e14a5 21-Dec-2020 djm@openbsd.org

upstream: move subprocess() from auth.c to misc.c

make privilege dropping optional but allow it via callbacks (to avoid
need to link uidswap.c everywhere)

add some other flags (keep environment, di

upstream: move subprocess() from auth.c to misc.c

make privilege dropping optional but allow it via callbacks (to avoid
need to link uidswap.c everywhere)

add some other flags (keep environment, disable strict path safety check)
that make this more useful for client-side use.

feedback & ok markus@

OpenBSD-Commit-ID: a80ea9fdcc156f1a18e9c166122c759fae1637bf

show more ...


# 0ebead65 17-Dec-2020 djm@openbsd.org

upstream: fix possible error("%s", NULL) on error paths

OpenBSD-Commit-ID: 0b3833c2cb985453ecca1d76803ebb8f3b736a11


# 816036f1 18-Oct-2020 djm@openbsd.org

upstream: use the new variant log macros instead of prepending

__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8


Revision tags: V_8_4_P1
# 801c9f09 26-Aug-2020 djm@openbsd.org

upstream: support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys ve

upstream: support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.

feedback and ok markus@

OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6

show more ...


Revision tags: V_8_3_P1, V_8_2_P1
# a47f6a6c 06-Feb-2020 naddy@openbsd.org

upstream: Replace "security key" with "authenticator" in program

messages.

This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator" and "authenticator-

upstream: Replace "security key" with "authenticator" in program

messages.

This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator" and "authenticator-hosted key".

ok djm@

OpenBSD-Commit-ID: 7c63800e9c340c59440a054cde9790a78f18592e

show more ...


# 3bf2a6ac 23-Jan-2020 dtucker@openbsd.org

upstream: Replace all calls to signal(2) with a wrapper around

sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which sho

upstream: Replace all calls to signal(2) with a wrapper around

sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which should reduce
the potential for short read/write operations.

OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519

show more ...


# 2e71263b 24-Nov-2019 djm@openbsd.org

upstream: add a "no-touch-required" option for authorized_keys and

a similar extension for certificates. This option disables the default
requirement that security key signatures attest that the use

upstream: add a "no-touch-required" option for authorized_keys and

a similar extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched their
key to authorize them.

feedback deraadt, ok markus

OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e

show more ...


# 0fddf296 24-Nov-2019 djm@openbsd.org

upstream: Add a sshd_config PubkeyAuthOptions directive

This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a secur

upstream: Add a sshd_config PubkeyAuthOptions directive

This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).

ok markus@

OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de

show more ...


# b7e74ea0 24-Nov-2019 djm@openbsd.org

upstream: Add new structure for signature options

This is populated during signature verification with additional fields
that are present in and covered by the signature. At the moment, it is
only u

upstream: Add new structure for signature options

This is populated during signature verification with additional fields
that are present in and covered by the signature. At the moment, it is
only used to record security key-specific options, especially the flags
field.

with and ok markus@

OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49

show more ...


Revision tags: V_8_1_P1
# be02d7cb 06-Sep-2019 djm@openbsd.org

upstream: lots of things were relying on libcrypto headers to

transitively include various system headers (mostly stdlib.h); include them
explicitly

OpenBSD-Commit-ID: 5b522f4f2d844f78bf1cc4f3f4cc3

upstream: lots of things were relying on libcrypto headers to

transitively include various system headers (mostly stdlib.h); include them
explicitly

OpenBSD-Commit-ID: 5b522f4f2d844f78bf1cc4f3f4cc392e177b2080

show more ...


# dd8002fb 03-Sep-2019 djm@openbsd.org

upstream: move advance_past_options to authfile.c and make it

public; ok markus@

OpenBSD-Commit-ID: edda2fbba2c5b1f48e60f857a2010479e80c5f3c


# c72d78cc 03-Sep-2019 djm@openbsd.org

upstream: move skip_space() to misc.c and make it public; ok

markus@

OpenBSD-Commit-ID: caa77e8a3b210948e29ad3e28c5db00852961eae


# 16dd8b2c 16-Jul-2019 djm@openbsd.org

upstream: remove mostly vestigal uuencode.[ch]; moving the only unique

functionality there (wrapping of base64-encoded data) to sshbuf functions;
feedback and ok markus@

OpenBSD-Commit-ID: 4dba6735

upstream: remove mostly vestigal uuencode.[ch]; moving the only unique

functionality there (wrapping of base64-encoded data) to sshbuf functions;
feedback and ok markus@

OpenBSD-Commit-ID: 4dba6735d88c57232f6fccec8a08bdcfea44ac4c

show more ...


# 4cd6b12c 20-Jun-2019 djm@openbsd.org

upstream: print the correct AuthorizedPrincipalsCommand rather than

an uninitialised variable; spotted by dtucker@

OpenBSD-Commit-ID: 02802018784250f68202f01c8561de82e17b0638


# c95b90d4 13-Jun-2019 djm@openbsd.org

upstream: for public key authentication, check AuthorizedKeysFiles

files before consulting AuthorizedKeysCommand; ok dtucker markus

OpenBSD-Commit-ID: 13652998bea5cb93668999c39c3c48e8429db8b3


# 30615295 19-May-2019 djm@openbsd.org

upstream: embiggen format buffer size for certificate serial number so

that it will fit a full 64 bit integer. bz#3012 from Manoel Domingues Junior

OpenBSD-Commit-ID: a51f3013056d05b976e5af6b978dcb

upstream: embiggen format buffer size for certificate serial number so

that it will fit a full 64 bit integer. bz#3012 from Manoel Domingues Junior

OpenBSD-Commit-ID: a51f3013056d05b976e5af6b978dcb9e27bbc12b

show more ...


Revision tags: V_8_0_P1
# ff5d2cf4 22-Jan-2019 djm@openbsd.org

upstream: print the full pubkey being attempted at loglevel >=

debug2; bz2939

OpenBSD-Commit-ID: ac0fe5ca1429ebf4d460bad602adc96de0d7e290


Revision tags: V_7_9_P1
# 86e5737c 19-Sep-2018 djm@openbsd.org

upstream: Add sshd_config CASignatureAlgorithms option to allow

control over which signature algorithms a CA may use when signing
certificates. In particular, this allows a sshd to ban certificates

upstream: Add sshd_config CASignatureAlgorithms option to allow

control over which signature algorithms a CA may use when signing
certificates. In particular, this allows a sshd to ban certificates signed
with RSA/SHA1.

ok markus@

OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac

show more ...


# db8bb80e 28-Aug-2018 mestre@openbsd.org

upstream: fix misplaced parenthesis inside if-clause. it's harmless

and the only issue is showing an unknown error (since it's not defined)
during fatal(), if it ever an error occurs inside that con

upstream: fix misplaced parenthesis inside if-clause. it's harmless

and the only issue is showing an unknown error (since it's not defined)
during fatal(), if it ever an error occurs inside that condition.

OK deraadt@ markus@ djm@

OpenBSD-Commit-ID: acb0a8e6936bfbe590504752d01d1d251a7101d8

show more ...


Revision tags: V_7_8_P1
# 7fef173c 22-Aug-2018 djm@openbsd.org

upstream: memleak introduced in r1.83; from Colin Watson

OpenBSD-Commit-ID: 5c019104c280cbd549a264a7217b67665e5732dc


# 74287f5d 30-Jul-2018 djm@openbsd.org

upstream: delay bailout for invalid authentic

=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?=
=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?=
=

upstream: delay bailout for invalid authentic

=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?=
=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?=
=?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d

show more ...


12345