#
ee9c0da8 |
| 21-Jan-2021 |
dtucker@openbsd.org |
upstream: Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted.
upstream: Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@ OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5
show more ...
|
#
4c7af01f |
| 07-Jan-2021 |
djm@openbsd.org |
upstream: If a signature operation on a FIDO key fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation.
upstream: If a signature operation on a FIDO key fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This smoothes over a few corner cases including FIDO devices that require PINs for all hosted credentials, biometric FIDO devices that fall back to requiring PIN when reading the biometric failed, devices that don't implement reading credProtect status for downloaded keys and probably a few more cases that I haven't though of yet. ok dtucker@ OpenBSD-Commit-ID: 176db8518933d6a5bbf81a2e3cf62447158dc878
show more ...
|
#
2c71cec0 |
| 28-Dec-2020 |
djm@openbsd.org |
upstream: Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519). The previous sntrup4591761x25519-sha512@tiny
upstream: Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519). The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761. The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html). Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself (note this both the updated method and the one that it replaced are disabled by default) OpenBSD-Commit-ID: 2bf582b772d81ee24e911bb6f4b2aecfd39338ae
show more ...
|
#
da4bf0db |
| 21-Dec-2020 |
djm@openbsd.org |
upstream: add a ssh_config KnownHostsCommand that allows the client to obtain known_hosts data from a command in addition to the usual files. The command accepts bunch of %-expansio
upstream: add a ssh_config KnownHostsCommand that allows the client to obtain known_hosts data from a command in addition to the usual files. The command accepts bunch of %-expansions, including details of the connection and the offered server host key. Note that the command may be invoked up to three times per connection (see the manpage for details). ok markus@ OpenBSD-Commit-ID: 2433cff4fb323918ae968da6ff38feb99b4d33d0
show more ...
|
#
0f504f59 |
| 20-Dec-2020 |
djm@openbsd.org |
upstream: plumb ssh_conn_info through to sshconnect.c; feedback/ok markus@ OpenBSD-Commit-ID: e8d14a09cda3f1dc55df08f8a4889beff74e68b0
|
#
b4c7cd11 |
| 20-Dec-2020 |
djm@openbsd.org |
upstream: load_hostkeys()/hostkeys_foreach() variants for FILE* Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly.
upstream: load_hostkeys()/hostkeys_foreach() variants for FILE* Add load_hostkeys_file() and hostkeys_foreach_file() that accept a FILE* argument instead of opening the file directly. Original load_hostkeys() and hostkeys_foreach() are implemented using these new interfaces. Add a u_int note field to the hostkey_entry and hostkey_foreach_line structs that is passed directly from the load_hostkeys() and hostkeys_foreach() call. This is a lightweight way to annotate results between different invocations of load_hostkeys(). ok markus@ OpenBSD-Commit-ID: 6ff6db13ec9ee4edfa658b2c38baad0f505d8c20
show more ...
|
#
04088725 |
| 13-Nov-2020 |
djm@openbsd.org |
upstream: scrub keyboard-interactive authentication prompts coming from the server through asmprintf() prior to display; suggested by and ok dtucker@ OpenBSD-Commit-ID: 31fe9336
upstream: scrub keyboard-interactive authentication prompts coming from the server through asmprintf() prior to display; suggested by and ok dtucker@ OpenBSD-Commit-ID: 31fe93367645c37fbfe4691596bf6cf1e3972a58
show more ...
|
#
5442b491 |
| 12-Nov-2020 |
djm@openbsd.org |
upstream: prefix keyboard interactive prompts with (user@host) to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 ok d
upstream: prefix keyboard interactive prompts with (user@host) to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 ok dtucker OpenBSD-Commit-ID: 67e6189b04b46c867662f8a6759cf3ecb5f59170
show more ...
|
#
d5a0cd4f |
| 08-Nov-2020 |
djm@openbsd.org |
upstream: when requesting a security key touch on stderr, inform the user once the touch has been recorded; requested by claudio@ ok markus@ OpenBSD-Commit-ID: 3b76ee444490e546b9ea7
upstream: when requesting a security key touch on stderr, inform the user once the touch has been recorded; requested by claudio@ ok markus@ OpenBSD-Commit-ID: 3b76ee444490e546b9ea7f879e4092ee0d256233
show more ...
|
#
7d680448 |
| 29-Oct-2020 |
djm@openbsd.org |
upstream: print reason in fatal error message when kex_assemble_namelist() fails OpenBSD-Commit-ID: a9975ee8db6c98d6f32233d88051b2077ca63dab
|
#
1a14c131 |
| 28-Oct-2020 |
djm@openbsd.org |
upstream: whitespace; no code change OpenBSD-Commit-ID: efefc1c47e880887bdee8cd2127ca93177eaad79
|
#
816036f1 |
| 18-Oct-2020 |
djm@openbsd.org |
upstream: use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@ OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
|
#
acadbb34 |
| 15-Oct-2020 |
djm@openbsd.org |
upstream: use do_log2 instead of function pointers to different log functions OpenBSD-Commit-ID: 88077b826d348c58352a6b394755520f4e484480
|
#
aa623142 |
| 06-Oct-2020 |
djm@openbsd.org |
upstream: revert kex->flags cert hostkey downgrade back to a plain key (commitid VtF8vozGOF8DMKVg). We now do this a simpler way that needs less plumbing. ok markus@ Op
upstream: revert kex->flags cert hostkey downgrade back to a plain key (commitid VtF8vozGOF8DMKVg). We now do this a simpler way that needs less plumbing. ok markus@ OpenBSD-Commit-ID: fb92d25b216bff8c136da818ac2221efaadf18ed
show more ...
|
#
af889a40 |
| 04-Oct-2020 |
djm@openbsd.org |
upstream: when ordering host key algorithms in the client, consider the ECDSA key subtype; ok markus@ OpenBSD-Commit-ID: 3097686f853c61ff61772ea35f8b699931392ece
|
#
13cee44e |
| 03-Oct-2020 |
djm@openbsd.org |
upstream: record when the host key checking code downgrades a certificate host key to a plain key. This occurs when the user connects to a host with a certificate host key but no corresp
upstream: record when the host key checking code downgrades a certificate host key to a plain key. This occurs when the user connects to a host with a certificate host key but no corresponding CA key configured in known_hosts; feedback and ok markus@ OpenBSD-Commit-ID: 2ada81853ff9ee7824c62f440bcf4ad62030c901
show more ...
|
Revision tags: V_8_4_P1 |
|
#
b3855ff0 |
| 18-Sep-2020 |
djm@openbsd.org |
upstream: tweak the client hostkey preference ordering algorithm to prefer the default ordering if the user has a key that matches the best-preference default algorithm. feedbac
upstream: tweak the client hostkey preference ordering algorithm to prefer the default ordering if the user has a key that matches the best-preference default algorithm. feedback and ok markus@ OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
show more ...
|
#
9b8ad938 |
| 26-Aug-2020 |
djm@openbsd.org |
upstream: support for user-verified FIDO keys FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular o
upstream: support for user-verified FIDO keys FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token. This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication. feedback markus@ and Pedro Martelletto; ok markus@ OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
show more ...
|
#
e1c40110 |
| 27-Jun-2020 |
bket@openbsd.org |
upstream: Replace TAILQ concatenation loops with TAILQ_CONCAT OK djm@ OpenBSD-Commit-ID: 454b40e09a117ddb833794358970a65b14c431ef
|
#
67042889 |
| 04-Jun-2020 |
djm@openbsd.org |
upstream: wrap long line OpenBSD-Commit-ID: ed405a12bd27bdc9c52e169bc5ff3529b4ebbbb2
|
Revision tags: V_8_3_P1 |
|
#
05a65140 |
| 13-May-2020 |
djm@openbsd.org |
upstream: when ordering the hostkey algorithms to request from a server, prefer certificate types if the known_hosts files contain a key marked as a @cert-authority; bz#3157 ok markus@
upstream: when ordering the hostkey algorithms to request from a server, prefer certificate types if the known_hosts files contain a key marked as a @cert-authority; bz#3157 ok markus@ OpenBSD-Commit-ID: 8f194573e5bb7c01b69bbfaabc68f27c9fa5e0db
show more ...
|
#
54688e93 |
| 16-Apr-2020 |
djm@openbsd.org |
upstream: fix reversed test that caused IdentitiesOnly=yes to not apply to keys loaded from a PKCS11Provider; bz3141, ok dtucker@ OpenBSD-Commit-ID: e3dd6424b94685671fe84c9b9dbe352f
upstream: fix reversed test that caused IdentitiesOnly=yes to not apply to keys loaded from a PKCS11Provider; bz3141, ok dtucker@ OpenBSD-Commit-ID: e3dd6424b94685671fe84c9b9dbe352fb659f677
show more ...
|
Revision tags: V_8_2_P1 |
|
#
96bd895a |
| 06-Feb-2020 |
djm@openbsd.org |
upstream: When using HostkeyAlgorithms to merely append or remove algorithms from the default set (i.e. HostkeyAlgorithms=+/-...), retain the default behaviour of preferring those algori
upstream: When using HostkeyAlgorithms to merely append or remove algorithms from the default set (i.e. HostkeyAlgorithms=+/-...), retain the default behaviour of preferring those algorithms that have existing keys in known_hosts; ok markus OpenBSD-Commit-ID: 040e7fcc38ea00146b5d224ce31ce7a1795ee6ed
show more ...
|
#
a47f6a6c |
| 06-Feb-2020 |
naddy@openbsd.org |
upstream: Replace "security key" with "authenticator" in program messages. This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator"
upstream: Replace "security key" with "authenticator" in program messages. This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key". ok djm@ OpenBSD-Commit-ID: 7c63800e9c340c59440a054cde9790a78f18592e
show more ...
|
#
7f8e66fe |
| 23-Jan-2020 |
dtucker@openbsd.org |
upstream: Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@ Ope
upstream: Make zlib optional. This adds a "ZLIB" build time option that allows building without zlib compression and associated options. With feedback from markus@, ok djm@ OpenBSD-Commit-ID: 44c6e1133a90fd15a3aa865bdedc53bab28b7910
show more ...
|