summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Wrap stdint.h in ifdef HAVE_STDINT_H.Darren Tucker2020-01-151-0/+2
|
* Wrap stdint.h inside HAVE_STDINT_H.Darren Tucker2020-01-141-1/+3
|
* Include compat header for definitions.Darren Tucker2020-01-141-0/+2
|
* Improve search for 'struct timespec'.Darren Tucker2020-01-142-1/+26
| | | | | Make struct timespec test consistent with existing timeval test. Include time.h for timespec in compat header where required.
* Update depend to remove rmd160.h.Darren Tucker2020-01-141-176/+173
|
* Remove configure test & compat code for ripemd160.Darren Tucker2020-01-147-459/+0
| | | | | RIPEMD160 support was removed upstream in 2017, however we still had a configure test and compat code for it, so clean those up now.
* upstream: fix reversed arguments on expand_proxy_command(); spotteddjm@openbsd.org2020-01-091-2/+2
| | | | | | by anton@ OpenBSD-Commit-ID: db1c32478a01dfbc9c4db171de0f25907bea5775
* upstream: put the fido options in a list, and tidy up the text ajmc@openbsd.org2020-01-091-19/+17
| | | | | | little; ok djm OpenBSD-Commit-ID: 491ce15ae52a88b7a6a2b3b6708a14b4aacdeebb
* Deny (non-fatal) ipc in preauth privsep child.Jeremy Drake2020-01-081-0/+3
| | | | | | | As noted in openssh/openssh-portable#149, i386 does not have have _NR_shmget etc. Instead, it has a single ipc syscall (see man 2 ipc, https://linux.die.net/man/2/ipc). Add this syscall, if present, to the list of syscalls that seccomp will deny non-fatally.
* seccomp: Allow clock_gettime64() in sandbox.Khem Raj2020-01-081-0/+3
| | | | | This helps sshd accept connections on mips platforms with upcoming glibc ( 2.31 )
* upstream: missing else in check_enroll_options()djm@openbsd.org2020-01-061-1/+1
| | | | OpenBSD-Commit-ID: e058fb918fda56ddbbf0bee910101004cec421d4
* upstream: fix error messagedjm@openbsd.org2020-01-061-2/+1
| | | | OpenBSD-Commit-ID: 1eb52025658eb78ea6223181e552862198d3d505
* upstream: adapt sk-dummy to SK API changesdjm@openbsd.org2020-01-061-71/+40
| | | | | | | | also, make it pull prototypes directly from sk-api.c and #error if the expected version changes. This will make any future regress test breakage because of SK API changes much more apparent OpenBSD-Regress-ID: 79b07055de4feb988e31da71a89051ad5969829d
* upstream: Extends the SK API to accept a set of key/value optionsdjm@openbsd.org2020-01-0610-121/+404
| | | | | | | | | | | | | | | | | | | | for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@ OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
* upstream: fix CanonicalizeHostname, broken by rev 1.507beck@openbsd.org2020-01-061-2/+2
| | | | | | | Issue noticed and reported by Pierre-Olivier Martel <pom@apple.com> ok dtucker@ markus@ djm@ OpenBSD-Commit-ID: 749f3168ec520609c35b0c4e1984e5fa47f16094
* Fix typo: 'you' -> 'your'.Darren Tucker2020-01-051-1/+1
| | | | bz#3108 from jmckitrick@gmail.com.
* Remove auth-skey.c.Darren Tucker2020-01-052-108/+0
| | | | S/Key support was removed in OpenSSH 7.8 but this file was missed.
* upstream: the download resident keys option is -K (upper) not -kjmc@openbsd.org2020-01-041-3/+3
| | | | | | (lower); ok djm OpenBSD-Commit-ID: 71dc28a3e1fa7c553844abc508845bcf5766e091
* upstream: what bozo decided to use 2020 as a future date in a regressdjm@openbsd.org2020-01-042-4/+4
| | | | | | test? OpenBSD-Regress-ID: 3b953df5a7e14081ff6cf495d4e8d40e153cbc3a
* upstream: implement recent SK API change to support resident keysdjm@openbsd.org2020-01-031-5/+28
| | | | | | | and PIN prompting in the dummy middleware that we use for the tests. Should fix breakage spotted by dtucker@ OpenBSD-Regress-ID: 379cf9eabfea57aaf7f3f59dafde59889566c484
* upstream: Update keygen moduli screen test to match recent commanddtucker@openbsd.org2020-01-031-3/+3
| | | | | | line option change to ssh-keygen(1). OpenBSD-Regress-ID: 744a72755004377e9669b662c13c6aa9ead8a0c3
* upstream: ability to download FIDO2 resident keys from a token viadjm@openbsd.org2020-01-022-63/+172
| | | | | | | | | | | "ssh-keygen -K". This will save public/private keys into the current directory. This is handy if you move a token between hosts. feedback & ok markus@ OpenBSD-Commit-ID: d57c1f9802f7850f00a117a1d36682a6c6d10da6
* upstream: add sshkey_save_public(), to save a public key; okdjm@openbsd.org2020-01-022-2/+35
| | | | | | markus@ OpenBSD-Commit-ID: 5d6f96a966d10d7fa689ff9aa9e1d6767ad5a076
* upstream: simplify the list for moduli options - no need forjmc@openbsd.org2020-01-021-8/+2
| | | | | | -compact; OpenBSD-Commit-ID: 6492c72280482c6d072be46236b365cb359fc280
* ssh-sk-null.cc needs extern "C" {}Damien Miller2020-01-021-0/+4
|
* add dummy ssh-sk API for linking with fuzzersDamien Miller2020-01-021-0/+46
|
* refresh dependDamien Miller2019-12-301-4/+4
|
* upstream: Remove the -x option currently used fordjm@openbsd.org2019-12-302-38/+46
| | | | | | | | FIDO/U2F-specific key flags. Instead these flags may be specified via -O. ok markus@ OpenBSD-Commit-ID: f23ebde2a8a7e1bf860a51055a711cffb8c328c1
* upstream: document SK API changes in PROTOCOL.u2fdjm@openbsd.org2019-12-301-2/+20
| | | | | | ok markus@ OpenBSD-Commit-ID: 52622363c103a3c4d3d546050480ffe978a32186
* upstream: translate and return error codes; retry on bad PINdjm@openbsd.org2019-12-306-34/+82
| | | | | | | | | | | | Define some well-known error codes in the SK API and pass them back via ssh-sk-helper. Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys. feedback and ok markus@ OpenBSD-Commit-ID: 9663c6a2bb7a0bc8deaccc6c30d9a2983b481620
* upstream: improve some error messages; ok markus@djm@openbsd.org2019-12-301-11/+11
| | | | OpenBSD-Commit-ID: 4ccd8ddabb8df4f995107dd3b7ea58220e93cb81
* upstream: SK API and sk-helper error/PIN passingdjm@openbsd.org2019-12-309-72/+165
| | | | | | | | | | | | | Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow. Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc. feedback and ok markus@ OpenBSD-Commit-ID: a1bd6b0a2421646919a0c139b8183ad76d28fb71
* upstream: implement loading resident keys in ssh-adddjm@openbsd.org2019-12-301-5/+63
| | | | | | | | | "ssh-add -O" will load resident keys from a FIDO2 token and add them to a ssh-agent. feedback and ok markus@ OpenBSD-Commit-ID: 608104ae957a7d65cb84e0a3a26c8f60e0df3290
* upstream: implement loading of resident keys in ssh-sk-helperdjm@openbsd.org2019-12-303-3/+121
| | | | | | feedback and ok markus@ OpenBSD-Commit-ID: b273c23769ea182c55c4a7b8f9cbd9181722011a
* upstream: resident keys support in SK APIdjm@openbsd.org2019-12-304-12/+366
| | | | | | | | | | | | Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys. Implement support for this in the usbhid middleware. feedback and ok markus@ OpenBSD-Commit-ID: 67e984e4e87f4999ce447a6178c4249a9174eff0
* upstream: Factor out parsing of struct sk_enroll_responsedjm@openbsd.org2019-12-301-37/+64
| | | | | | | | We'll reuse this for extracting resident keys from a device. feedback and ok markus@ OpenBSD-Commit-ID: 9bc1efd9c6897eac4df0983746cf6578c1542273
* upstream: basic support for generating FIDO2 resident keysdjm@openbsd.org2019-12-304-4/+16
| | | | | | | | | "ssh-keygen -t ecdsa-sk|ed25519-sk -x resident" will generate a device-resident key. feedback and ok markus@ OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431
* upstream: remove single-letter flags for moduli optionsdjm@openbsd.org2019-12-302-163/+228
| | | | | | | | | | | | | Move all moduli generation options to live under the -O flag. Frees up seven single-letter flags. NB. this change break existing ssh-keygen commandline syntax for moduli- related operations. Very few people use these fortunately. feedback and ok markus@ OpenBSD-Commit-ID: d498f3eaf28128484826a4fcb343612764927935
* upstream: prepare for use of ssh-keygen -O flag beyond certsdjm@openbsd.org2019-12-302-98/+101
| | | | | | | | | | | | Move list of available certificate options in ssh-keygen.1 to the CERTIFICATES section. Collect options specified by -O but delay parsing/validation of certificate options until we're sure that we're acting as a CA. ok markus@ OpenBSD-Commit-ID: 33e6bcc29cfca43606f6fa09bd84b955ee3a4106
* upstream: sort -Y internally in the options list, as is alreadyjmc@openbsd.org2019-12-301-17/+17
| | | | | | done in synopsis; OpenBSD-Commit-ID: 86d033c5764404057616690d7be992e445b42274
* upstream: in the options list, sort -Y and -y;jmc@openbsd.org2019-12-301-5/+5
| | | | OpenBSD-Commit-ID: 24c2e6a3aeab6e050a0271ffc73fdff91c10dcaa
* upstream: Replace the term "security key" with "(FIDO)naddy@openbsd.org2019-12-308-58/+52
| | | | | | | | | authenticator". The polysemous use of "key" was too confusing. Input from markus@. ok jmc@ OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
* upstream: unit tests for ForwardAgent=/path; from Eric Chiangdjm@openbsd.org2019-12-212-3/+54
| | | | OpenBSD-Regress-ID: 24f693f78290b2c17725dab2c614dffe4a88c8da
* upstream: test security key host keys in addition to user keysdjm@openbsd.org2019-12-219-33/+24
| | | | OpenBSD-Regress-ID: 9fb45326106669a27e4bf150575c321806e275b1
* upstream: Allow forwarding a different agent socket to the pathdjm@openbsd.org2019-12-217-28/+121
| | | | | | | | | | specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no. Patch by Eric Chiang, manpage by me; ok markus@ OpenBSD-Commit-ID: 98f2ed80bf34ea54d8b2ddd19ac14ebbf40e9265
* upstream: SSH U2F keys can now be used as host keys. Fix a gardennaddy@openbsd.org2019-12-211-5/+1
| | | | | | path sentence. ok markus@ OpenBSD-Commit-ID: 67d7971ca1a020acd6c151426c54bd29d784bd6b
* upstream: Move always unsupported keywords to be grouped with the otherdtucker@openbsd.org2019-12-201-5/+5
| | | | | | | ones. Move oSecurityProvider to match the order in the OpCodes enum. Patch from openbsd@academicsolutions.ch, ok djm@ OpenBSD-Commit-ID: 061e4505861ec1e02ba3a63e3d1b3be3cad458ec
* upstream: Remove obsolete opcodes from the configuation enum.dtucker@openbsd.org2019-12-201-6/+6
| | | | | | Patch from openbsd@academicsolutions.ch, ok djm@ OpenBSD-Commit-ID: 395c202228872ce8d9044cc08552ac969f51e01b
* upstream: Remove now-obsolete config options from example indtucker@openbsd.org2019-12-201-3/+1
| | | | | | comment. Patch from openbsd@academicsolutions.ch, ok djm@ OpenBSD-Commit-ID: 35862beb0927b1cb0af476ec23cc07f6e3006101
* upstream: Document that security key-hosted keys can act as hostnaddy@openbsd.org2019-12-202-18/+38
| | | | | | | | | | | | keys. Update the list of default host key algorithms in ssh_config.5 and sshd_config.5. Copy the description of the SecurityKeyProvider option to sshd_config.5. ok jmc@ OpenBSD-Commit-ID: edadf3566ab5e94582df4377fee3b8b702c7eca0
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-19 16:29:53 +0100