History log of /openssh-portable/sshconnect2.c (Results 1 - 25 of 598)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# ee9c0da8 21-Jan-2021 dtucker@openbsd.org

upstream: Rename PubkeyAcceptedKeyTypes keyword to

PubkeyAcceptedAlgorithms. While the two were originally equivalent, this
actually specifies the signature algorithms that are accepted.

upstream: Rename PubkeyAcceptedKeyTypes keyword to

PubkeyAcceptedAlgorithms. While the two were originally equivalent, this
actually specifies the signature algorithms that are accepted. Some key
types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512)
so the old name is becoming increasingly misleading. The old name is
retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@

OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5

show more ...


# 4c7af01f 07-Jan-2021 djm@openbsd.org

upstream: If a signature operation on a FIDO key fails with a

"incorrect PIN" reason and no PIN was initially requested from the user, then
request a PIN and retry the operation.

upstream: If a signature operation on a FIDO key fails with a

"incorrect PIN" reason and no PIN was initially requested from the user, then
request a PIN and retry the operation.

This smoothes over a few corner cases including FIDO devices that
require PINs for all hosted credentials, biometric FIDO devices that
fall back to requiring PIN when reading the biometric failed, devices
that don't implement reading credProtect status for downloaded keys
and probably a few more cases that I haven't though of yet.

ok dtucker@

OpenBSD-Commit-ID: 176db8518933d6a5bbf81a2e3cf62447158dc878

show more ...


# 2c71cec0 28-Dec-2020 djm@openbsd.org

upstream: Update/replace the experimental post-quantim hybrid key

exchange method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tiny

upstream: Update/replace the experimental post-quantim hybrid key

exchange method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.

The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).

Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself

(note this both the updated method and the one that it replaced are
disabled by default)

OpenBSD-Commit-ID: 2bf582b772d81ee24e911bb6f4b2aecfd39338ae

show more ...


# da4bf0db 21-Dec-2020 djm@openbsd.org

upstream: add a ssh_config KnownHostsCommand that allows the client

to obtain known_hosts data from a command in addition to the usual files.

The command accepts bunch of %-expansio

upstream: add a ssh_config KnownHostsCommand that allows the client

to obtain known_hosts data from a command in addition to the usual files.

The command accepts bunch of %-expansions, including details of the
connection and the offered server host key. Note that the command may
be invoked up to three times per connection (see the manpage for
details).

ok markus@

OpenBSD-Commit-ID: 2433cff4fb323918ae968da6ff38feb99b4d33d0

show more ...


# 0f504f59 20-Dec-2020 djm@openbsd.org

upstream: plumb ssh_conn_info through to sshconnect.c; feedback/ok

markus@

OpenBSD-Commit-ID: e8d14a09cda3f1dc55df08f8a4889beff74e68b0


# b4c7cd11 20-Dec-2020 djm@openbsd.org

upstream: load_hostkeys()/hostkeys_foreach() variants for FILE*

Add load_hostkeys_file() and hostkeys_foreach_file() that accept a
FILE* argument instead of opening the file directly.

upstream: load_hostkeys()/hostkeys_foreach() variants for FILE*

Add load_hostkeys_file() and hostkeys_foreach_file() that accept a
FILE* argument instead of opening the file directly.

Original load_hostkeys() and hostkeys_foreach() are implemented using
these new interfaces.

Add a u_int note field to the hostkey_entry and hostkey_foreach_line
structs that is passed directly from the load_hostkeys() and
hostkeys_foreach() call. This is a lightweight way to annotate results
between different invocations of load_hostkeys().

ok markus@

OpenBSD-Commit-ID: 6ff6db13ec9ee4edfa658b2c38baad0f505d8c20

show more ...


# 04088725 13-Nov-2020 djm@openbsd.org

upstream: scrub keyboard-interactive authentication prompts coming

from the server through asmprintf() prior to display; suggested by and ok
dtucker@

OpenBSD-Commit-ID: 31fe9336

upstream: scrub keyboard-interactive authentication prompts coming

from the server through asmprintf() prior to display; suggested by and ok
dtucker@

OpenBSD-Commit-ID: 31fe93367645c37fbfe4691596bf6cf1e3972a58

show more ...


# 5442b491 12-Nov-2020 djm@openbsd.org

upstream: prefix keyboard interactive prompts with (user@host) to

make it easier to determine which connection they are associated with in
cases like scp -3, ProxyJump, etc. bz#3224 ok d

upstream: prefix keyboard interactive prompts with (user@host) to

make it easier to determine which connection they are associated with in
cases like scp -3, ProxyJump, etc. bz#3224 ok dtucker

OpenBSD-Commit-ID: 67e6189b04b46c867662f8a6759cf3ecb5f59170

show more ...


# d5a0cd4f 08-Nov-2020 djm@openbsd.org

upstream: when requesting a security key touch on stderr, inform the

user once the touch has been recorded; requested by claudio@ ok markus@

OpenBSD-Commit-ID: 3b76ee444490e546b9ea7

upstream: when requesting a security key touch on stderr, inform the

user once the touch has been recorded; requested by claudio@ ok markus@

OpenBSD-Commit-ID: 3b76ee444490e546b9ea7f879e4092ee0d256233

show more ...


# 7d680448 29-Oct-2020 djm@openbsd.org

upstream: print reason in fatal error message when

kex_assemble_namelist() fails

OpenBSD-Commit-ID: a9975ee8db6c98d6f32233d88051b2077ca63dab


# 1a14c131 28-Oct-2020 djm@openbsd.org

upstream: whitespace; no code change

OpenBSD-Commit-ID: efefc1c47e880887bdee8cd2127ca93177eaad79


# 816036f1 18-Oct-2020 djm@openbsd.org

upstream: use the new variant log macros instead of prepending

__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8


# acadbb34 15-Oct-2020 djm@openbsd.org

upstream: use do_log2 instead of function pointers to different log

functions

OpenBSD-Commit-ID: 88077b826d348c58352a6b394755520f4e484480


# aa623142 06-Oct-2020 djm@openbsd.org

upstream: revert kex->flags cert hostkey downgrade back to a plain

key (commitid VtF8vozGOF8DMKVg). We now do this a simpler way that needs less
plumbing.

ok markus@

Op

upstream: revert kex->flags cert hostkey downgrade back to a plain

key (commitid VtF8vozGOF8DMKVg). We now do this a simpler way that needs less
plumbing.

ok markus@

OpenBSD-Commit-ID: fb92d25b216bff8c136da818ac2221efaadf18ed

show more ...


# af889a40 04-Oct-2020 djm@openbsd.org

upstream: when ordering host key algorithms in the client, consider

the ECDSA key subtype; ok markus@

OpenBSD-Commit-ID: 3097686f853c61ff61772ea35f8b699931392ece


# 13cee44e 03-Oct-2020 djm@openbsd.org

upstream: record when the host key checking code downgrades a

certificate host key to a plain key. This occurs when the user connects to a
host with a certificate host key but no corresp

upstream: record when the host key checking code downgrades a

certificate host key to a plain key. This occurs when the user connects to a
host with a certificate host key but no corresponding CA key configured in
known_hosts; feedback and ok markus@

OpenBSD-Commit-ID: 2ada81853ff9ee7824c62f440bcf4ad62030c901

show more ...


Revision tags: V_8_4_P1
# b3855ff0 18-Sep-2020 djm@openbsd.org

upstream: tweak the client hostkey preference ordering algorithm to

prefer the default ordering if the user has a key that matches the
best-preference default algorithm.

feedbac

upstream: tweak the client hostkey preference ordering algorithm to

prefer the default ordering if the user has a key that matches the
best-preference default algorithm.

feedback and ok markus@

OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f

show more ...


# 9b8ad938 26-Aug-2020 djm@openbsd.org

upstream: support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
o

upstream: support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.

This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.

feedback markus@ and Pedro Martelletto; ok markus@

OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15

show more ...


# e1c40110 27-Jun-2020 bket@openbsd.org

upstream: Replace TAILQ concatenation loops with TAILQ_CONCAT

OK djm@

OpenBSD-Commit-ID: 454b40e09a117ddb833794358970a65b14c431ef


# 67042889 04-Jun-2020 djm@openbsd.org

upstream: wrap long line

OpenBSD-Commit-ID: ed405a12bd27bdc9c52e169bc5ff3529b4ebbbb2


Revision tags: V_8_3_P1
# 05a65140 13-May-2020 djm@openbsd.org

upstream: when ordering the hostkey algorithms to request from a

server, prefer certificate types if the known_hosts files contain a key
marked as a @cert-authority; bz#3157 ok markus@

upstream: when ordering the hostkey algorithms to request from a

server, prefer certificate types if the known_hosts files contain a key
marked as a @cert-authority; bz#3157 ok markus@

OpenBSD-Commit-ID: 8f194573e5bb7c01b69bbfaabc68f27c9fa5e0db

show more ...


# 54688e93 16-Apr-2020 djm@openbsd.org

upstream: fix reversed test that caused IdentitiesOnly=yes to not

apply to keys loaded from a PKCS11Provider; bz3141, ok dtucker@

OpenBSD-Commit-ID: e3dd6424b94685671fe84c9b9dbe352f

upstream: fix reversed test that caused IdentitiesOnly=yes to not

apply to keys loaded from a PKCS11Provider; bz3141, ok dtucker@

OpenBSD-Commit-ID: e3dd6424b94685671fe84c9b9dbe352fb659f677

show more ...


Revision tags: V_8_2_P1
# 96bd895a 06-Feb-2020 djm@openbsd.org

upstream: When using HostkeyAlgorithms to merely append or remove

algorithms from the default set (i.e. HostkeyAlgorithms=+/-...), retain the
default behaviour of preferring those algori

upstream: When using HostkeyAlgorithms to merely append or remove

algorithms from the default set (i.e. HostkeyAlgorithms=+/-...), retain the
default behaviour of preferring those algorithms that have existing keys in
known_hosts; ok markus

OpenBSD-Commit-ID: 040e7fcc38ea00146b5d224ce31ce7a1795ee6ed

show more ...


# a47f6a6c 06-Feb-2020 naddy@openbsd.org

upstream: Replace "security key" with "authenticator" in program

messages.

This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator"

upstream: Replace "security key" with "authenticator" in program

messages.

This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator" and "authenticator-hosted key".

ok djm@

OpenBSD-Commit-ID: 7c63800e9c340c59440a054cde9790a78f18592e

show more ...


# 7f8e66fe 23-Jan-2020 dtucker@openbsd.org

upstream: Make zlib optional. This adds a "ZLIB" build time option

that allows building without zlib compression and associated options. With
feedback from markus@, ok djm@

Ope

upstream: Make zlib optional. This adds a "ZLIB" build time option

that allows building without zlib compression and associated options. With
feedback from markus@, ok djm@

OpenBSD-Commit-ID: 44c6e1133a90fd15a3aa865bdedc53bab28b7910

show more ...


12345678910>>...24