| #
ee9c0da8 |
| 21-Jan-2021 |
dtucker@openbsd.org |
upstream: Rename PubkeyAcceptedKeyTypes keyword to
PubkeyAcceptedAlgorithms. While the two were originally equivalent, this
actually specifies the signature algorithms that are accepted.
upstream: Rename PubkeyAcceptedKeyTypes keyword to
PubkeyAcceptedAlgorithms. While the two were originally equivalent, this
actually specifies the signature algorithms that are accepted. Some key
types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512)
so the old name is becoming increasingly misleading. The old name is
retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5
show more ...
|
| #
4c7af01f |
| 07-Jan-2021 |
djm@openbsd.org |
upstream: If a signature operation on a FIDO key fails with a
"incorrect PIN" reason and no PIN was initially requested from the user, then
request a PIN and retry the operation.
upstream: If a signature operation on a FIDO key fails with a
"incorrect PIN" reason and no PIN was initially requested from the user, then
request a PIN and retry the operation.
This smoothes over a few corner cases including FIDO devices that
require PINs for all hosted credentials, biometric FIDO devices that
fall back to requiring PIN when reading the biometric failed, devices
that don't implement reading credProtect status for downloaded keys
and probably a few more cases that I haven't though of yet.
ok dtucker@
OpenBSD-Commit-ID: 176db8518933d6a5bbf81a2e3cf62447158dc878
show more ...
|
| #
2c71cec0 |
| 28-Dec-2020 |
djm@openbsd.org |
upstream: Update/replace the experimental post-quantim hybrid key
exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tiny
upstream: Update/replace the experimental post-quantim hybrid key
exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are
disabled by default)
OpenBSD-Commit-ID: 2bf582b772d81ee24e911bb6f4b2aecfd39338ae
show more ...
|
| #
da4bf0db |
| 21-Dec-2020 |
djm@openbsd.org |
upstream: add a ssh_config KnownHostsCommand that allows the client
to obtain known_hosts data from a command in addition to the usual files.
The command accepts bunch of %-expansio
upstream: add a ssh_config KnownHostsCommand that allows the client
to obtain known_hosts data from a command in addition to the usual files.
The command accepts bunch of %-expansions, including details of the
connection and the offered server host key. Note that the command may
be invoked up to three times per connection (see the manpage for
details).
ok markus@
OpenBSD-Commit-ID: 2433cff4fb323918ae968da6ff38feb99b4d33d0
show more ...
|
| #
0f504f59 |
| 20-Dec-2020 |
djm@openbsd.org |
upstream: plumb ssh_conn_info through to sshconnect.c; feedback/ok
markus@
OpenBSD-Commit-ID: e8d14a09cda3f1dc55df08f8a4889beff74e68b0
|
| #
b4c7cd11 |
| 20-Dec-2020 |
djm@openbsd.org |
upstream: load_hostkeys()/hostkeys_foreach() variants for FILE*
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a
FILE* argument instead of opening the file directly.
upstream: load_hostkeys()/hostkeys_foreach() variants for FILE*
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a
FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using
these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line
structs that is passed directly from the load_hostkeys() and
hostkeys_foreach() call. This is a lightweight way to annotate results
between different invocations of load_hostkeys().
ok markus@
OpenBSD-Commit-ID: 6ff6db13ec9ee4edfa658b2c38baad0f505d8c20
show more ...
|
| #
04088725 |
| 13-Nov-2020 |
djm@openbsd.org |
upstream: scrub keyboard-interactive authentication prompts coming
from the server through asmprintf() prior to display; suggested by and ok
dtucker@
OpenBSD-Commit-ID: 31fe9336
upstream: scrub keyboard-interactive authentication prompts coming
from the server through asmprintf() prior to display; suggested by and ok
dtucker@
OpenBSD-Commit-ID: 31fe93367645c37fbfe4691596bf6cf1e3972a58
show more ...
|
| #
5442b491 |
| 12-Nov-2020 |
djm@openbsd.org |
upstream: prefix keyboard interactive prompts with (user@host) to
make it easier to determine which connection they are associated with in
cases like scp -3, ProxyJump, etc. bz#3224 ok d
upstream: prefix keyboard interactive prompts with (user@host) to
make it easier to determine which connection they are associated with in
cases like scp -3, ProxyJump, etc. bz#3224 ok dtucker
OpenBSD-Commit-ID: 67e6189b04b46c867662f8a6759cf3ecb5f59170
show more ...
|
| #
d5a0cd4f |
| 08-Nov-2020 |
djm@openbsd.org |
upstream: when requesting a security key touch on stderr, inform the
user once the touch has been recorded; requested by claudio@ ok markus@
OpenBSD-Commit-ID: 3b76ee444490e546b9ea7
upstream: when requesting a security key touch on stderr, inform the
user once the touch has been recorded; requested by claudio@ ok markus@
OpenBSD-Commit-ID: 3b76ee444490e546b9ea7f879e4092ee0d256233
show more ...
|
| #
7d680448 |
| 29-Oct-2020 |
djm@openbsd.org |
upstream: print reason in fatal error message when
kex_assemble_namelist() fails
OpenBSD-Commit-ID: a9975ee8db6c98d6f32233d88051b2077ca63dab
|
| #
1a14c131 |
| 28-Oct-2020 |
djm@openbsd.org |
upstream: whitespace; no code change
OpenBSD-Commit-ID: efefc1c47e880887bdee8cd2127ca93177eaad79
|
| #
816036f1 |
| 18-Oct-2020 |
djm@openbsd.org |
upstream: use the new variant log macros instead of prepending
__func__ and appending ssh_err(r) manually; ok markus@
OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
|
| #
acadbb34 |
| 15-Oct-2020 |
djm@openbsd.org |
upstream: use do_log2 instead of function pointers to different log
functions
OpenBSD-Commit-ID: 88077b826d348c58352a6b394755520f4e484480
|
| #
aa623142 |
| 06-Oct-2020 |
djm@openbsd.org |
upstream: revert kex->flags cert hostkey downgrade back to a plain
key (commitid VtF8vozGOF8DMKVg). We now do this a simpler way that needs less
plumbing.
ok markus@
Op
upstream: revert kex->flags cert hostkey downgrade back to a plain
key (commitid VtF8vozGOF8DMKVg). We now do this a simpler way that needs less
plumbing.
ok markus@
OpenBSD-Commit-ID: fb92d25b216bff8c136da818ac2221efaadf18ed
show more ...
|
| #
af889a40 |
| 04-Oct-2020 |
djm@openbsd.org |
upstream: when ordering host key algorithms in the client, consider
the ECDSA key subtype; ok markus@
OpenBSD-Commit-ID: 3097686f853c61ff61772ea35f8b699931392ece
|
| #
13cee44e |
| 03-Oct-2020 |
djm@openbsd.org |
upstream: record when the host key checking code downgrades a
certificate host key to a plain key. This occurs when the user connects to a
host with a certificate host key but no corresp
upstream: record when the host key checking code downgrades a
certificate host key to a plain key. This occurs when the user connects to a
host with a certificate host key but no corresponding CA key configured in
known_hosts; feedback and ok markus@
OpenBSD-Commit-ID: 2ada81853ff9ee7824c62f440bcf4ad62030c901
show more ...
|
|
Revision tags: V_8_4_P1 |
|
| #
b3855ff0 |
| 18-Sep-2020 |
djm@openbsd.org |
upstream: tweak the client hostkey preference ordering algorithm to
prefer the default ordering if the user has a key that matches the
best-preference default algorithm.
feedbac
upstream: tweak the client hostkey preference ordering algorithm to
prefer the default ordering if the user has a key that matches the
best-preference default algorithm.
feedback and ok markus@
OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
show more ...
|
| #
9b8ad938 |
| 26-Aug-2020 |
djm@openbsd.org |
upstream: support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
o
upstream: support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
show more ...
|
| #
e1c40110 |
| 27-Jun-2020 |
bket@openbsd.org |
upstream: Replace TAILQ concatenation loops with TAILQ_CONCAT
OK djm@
OpenBSD-Commit-ID: 454b40e09a117ddb833794358970a65b14c431ef
|
| #
67042889 |
| 04-Jun-2020 |
djm@openbsd.org |
upstream: wrap long line
OpenBSD-Commit-ID: ed405a12bd27bdc9c52e169bc5ff3529b4ebbbb2
|
|
Revision tags: V_8_3_P1 |
|
| #
05a65140 |
| 13-May-2020 |
djm@openbsd.org |
upstream: when ordering the hostkey algorithms to request from a
server, prefer certificate types if the known_hosts files contain a key
marked as a @cert-authority; bz#3157 ok markus@
upstream: when ordering the hostkey algorithms to request from a
server, prefer certificate types if the known_hosts files contain a key
marked as a @cert-authority; bz#3157 ok markus@
OpenBSD-Commit-ID: 8f194573e5bb7c01b69bbfaabc68f27c9fa5e0db
show more ...
|
| #
54688e93 |
| 16-Apr-2020 |
djm@openbsd.org |
upstream: fix reversed test that caused IdentitiesOnly=yes to not
apply to keys loaded from a PKCS11Provider; bz3141, ok dtucker@
OpenBSD-Commit-ID: e3dd6424b94685671fe84c9b9dbe352f
upstream: fix reversed test that caused IdentitiesOnly=yes to not
apply to keys loaded from a PKCS11Provider; bz3141, ok dtucker@
OpenBSD-Commit-ID: e3dd6424b94685671fe84c9b9dbe352fb659f677
show more ...
|
|
Revision tags: V_8_2_P1 |
|
| #
96bd895a |
| 06-Feb-2020 |
djm@openbsd.org |
upstream: When using HostkeyAlgorithms to merely append or remove
algorithms from the default set (i.e. HostkeyAlgorithms=+/-...), retain the
default behaviour of preferring those algori
upstream: When using HostkeyAlgorithms to merely append or remove
algorithms from the default set (i.e. HostkeyAlgorithms=+/-...), retain the
default behaviour of preferring those algorithms that have existing keys in
known_hosts; ok markus
OpenBSD-Commit-ID: 040e7fcc38ea00146b5d224ce31ce7a1795ee6ed
show more ...
|
| #
a47f6a6c |
| 06-Feb-2020 |
naddy@openbsd.org |
upstream: Replace "security key" with "authenticator" in program
messages.
This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator"
upstream: Replace "security key" with "authenticator" in program
messages.
This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
OpenBSD-Commit-ID: 7c63800e9c340c59440a054cde9790a78f18592e
show more ...
|
| #
7f8e66fe |
| 23-Jan-2020 |
dtucker@openbsd.org |
upstream: Make zlib optional. This adds a "ZLIB" build time option
that allows building without zlib compression and associated options. With
feedback from markus@, ok djm@
Ope
upstream: Make zlib optional. This adds a "ZLIB" build time option
that allows building without zlib compression and associated options. With
feedback from markus@, ok djm@
OpenBSD-Commit-ID: 44c6e1133a90fd15a3aa865bdedc53bab28b7910
show more ...
|