summaryrefslogtreecommitdiffstats
path: root/auth-options.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* upstream: Switch hpdelim interface to accept only ":" as delimiter.dtucker@openbsd.org2022-02-101-2/+2
| | | | | | | | | | Historicallly, hpdelim accepted ":" or "/" as a port delimiter between hosts (or addresses) and ports. These days most of the uses for "/" are no longer accepted, so there are several places where it checks the delimiter to disallow it. Make hpdelim accept only ":" and use hpdelim2 in the other cases. ok djm@ OpenBSD-Commit-ID: 7e6420bd1be87590b6840973f5ad5305804e3102
* upstream: don't leak environment= variable when it is not the firstdjm@openbsd.org2021-07-241-2/+6
| | | | | | match OpenBSD-Commit-ID: 7fbdc3dfe0032deaf003fd937eeb4d434ee4efe0
* upstream: make authorized_keys environment="..." directivesdjm@openbsd.org2021-07-231-11/+24
| | | | | | | | | first-match-wins and more strictly limit their maximum number; prompted by OOM reported by OSS-fuzz (35470). feedback and ok dtucker@ OpenBSD-Commit-ID: 01f63fc10dcd995e7aed9c378ad879161af83121
* upstream: highly polished whitespace, mostly fixing spaces-for-tabdjm@openbsd.org2021-04-031-2/+2
| | | | | | and bad indentation on continuation lines. Prompted by GHPR#185 OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
* upstream: use the new variant log macros instead of prependingdjm@openbsd.org2020-10-181-8/+7
| | | | | | __func__ and appending ssh_err(r) manually; ok markus@ OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
* upstream: support for requiring user verified FIDO keys in sshddjm@openbsd.org2020-08-271-5/+15
| | | | | | | | | | | | | This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it. feedback and ok markus@ OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
* upstream: fix null-deref on calloc failure; ok djmmarkus@openbsd.org2020-03-131-4/+6
| | | | OpenBSD-Commit-ID: a313519579b392076b7831ec022dfdefbec8724a
* upstream: change explicit_bzero();free() to freezero()jsg@openbsd.org2020-02-281-3/+2
| | | | | | | | | | While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry. ok deraadt@ djm@ OpenBSD-Commit-ID: 2660fa334fcc7cd05ec74dd99cb036f9ade6384a
* upstream: add a "no-touch-required" option for authorized_keys anddjm@openbsd.org2019-11-251-12/+26
| | | | | | | | | | a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
* remove duplicate #includesDamien Miller2019-10-021-1/+0
| | | | Prompted by Jakub Jelen
* upstream: Plug mem leaks on error paths, based in part on githubdtucker@openbsd.org2019-09-131-1/+2
| | | | | | pr#120 from David Carlier. ok djm@. OpenBSD-Commit-ID: c57adeb1022a8148fc86e5a88837b3b156dbdb7e
* upstream: lots of things were relying on libcrypto headers todjm@openbsd.org2019-09-061-1/+2
| | | | | | | transitively include various system headers (mostly stdlib.h); include them explicitly OpenBSD-Commit-ID: 5b522f4f2d844f78bf1cc4f3f4cc392e177b2080
* upstream: move authorized_keys option parsing helpsers to misc.cdjm@openbsd.org2019-09-031-70/+1
| | | | | | and make them public; ok markus@ OpenBSD-Commit-ID: c18bcb2a687227b3478377c981c2d56af2638ea2
* Include stdlib.h for free() and calloc().Darren Tucker2019-07-231-0/+1
|
* upstream: cap the number of permiopen/permitlisten directives we'redjm@openbsd.org2019-07-091-2/+2
| | | | | | willing to parse on a single authorized_keys line; ok deraadt@ OpenBSD-Commit-ID: a43a752c2555d26aa3fc754805a476f6e3e30f46
* upstream: Some asprintf() calls were checked < 0, rather than thederaadt@openbsd.org2019-06-281-2/+2
| | | | | | precise == -1. ok millert nicm tb, etc OpenBSD-Commit-ID: caecf8f57938685c04f125515b9f2806ad408d53
* upstream: Allow ssh_config IdentityAgent directive to acceptdjm@openbsd.org2018-10-031-7/+10
| | | | | | environment variable names as well as explicit paths. ok dtucker@ OpenBSD-Commit-ID: 2f0996e103876c53d8c9dd51dcce9889d700767b
* upstream: allow bare port numbers to appear in PermitListen directives,djm@openbsd.org2018-06-191-5/+17
| | | | | | | | | | | | | | | | e.g. PermitListen 2222 8080 is equivalent to: PermitListen *:2222 *:8080 Some bonus manpage improvements, mostly from markus@ "looks fine" markus@ OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
* upstream: some permitlisten fixes from markus@ that I missed in mydjm@openbsd.org2018-06-071-4/+4
| | | | | | insomnia-fueled commits last night OpenBSD-Commit-ID: 26f23622e928996086e85b1419cc1c0f136e359c
* upstream: fix regression caused by recent permitlisten option commit:djm@openbsd.org2018-06-071-5/+5
| | | | | | | authorized_keys lines that contained permitopen/permitlisten were being treated as invalid. OpenBSD-Commit-ID: 7ef41d63a5a477b405d142dc925b67d9e7aaa31b
* upstream: permitlisten option for authorized_keys; ok markus@djm@openbsd.org2018-06-061-46/+94
| | | | OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672
* upstream: relax checking of authorized_keys environment="..."djm@openbsd.org2018-04-061-2/+2
| | | | | | | options to allow underscores in variable names (regression introduced in 7.7). bz2851, ok deraadt@ OpenBSD-Commit-ID: 69690ffe0c97ff393f2c76d25b4b3d2ed4e4ac9c
* upstream: rename recently-added "valid-before" key restriction todjm@openbsd.org2018-03-141-2/+2
| | | | | | | "expiry-time" as the former is confusing wrt similar terminology in X.509; pointed out by jsing@ OpenBSD-Commit-ID: 376939466a1f562f3950a22314bc6505733aaae6
* upstream: add valid-before="[time]" authorized_keys option. Adjm@openbsd.org2018-03-141-3/+29
| | | | | | simple way of giving a key an expiry date. ok markus@ OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
* upstream: switch over to the new authorized_keys options API anddjm@openbsd.org2018-03-031-647/+3
| | | | | | | | | | | remove the legacy one. Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines. feedback and ok markus@ OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
* upstream: Introduce a new API for handling authorized_keys options.djm@openbsd.org2018-03-031-1/+828
| | | | | | | | | | | This API parses options to a dedicated structure rather than the old API's approach of setting global state. It also includes support for merging options, e.g. from authorized_keys, authorized_principals and/or certificates. feedback and ok markus@ OpenBSD-Commit-ID: 98badda102cd575210d7802943e93a34232c80a2
* upstream commitdjm@openbsd.org2017-09-121-3/+8
| | | | | | | | | | | | | | | | | | | | | | refactor channels.c Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh. Explicitly pass "struct ssh" to all channels functions. Replace use of the legacy packet APIs in channels.c. Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later. ok markus@ Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
* upstream commitmarkus@openbsd.org2017-06-011-2/+3
| | | | | | | make sure we don't pass a NULL string to vfprintf (triggered by the principals-command regress test); ok bluhm Upstream-ID: eb49854f274ab37a0b57056a6af379a0b7111990
* upstream commitdjm@openbsd.org2016-11-301-6/+21
| | | | | | | | | | | | | When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced- command override the other could be a bit confused and more error-prone. Pointed out by Jann Horn of Project Zero; ok dtucker@ Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
* upstream commitdjm@openbsd.org2016-03-071-5/+8
| | | | | | | | | | refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c feedback and ok markus@ Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
* upstream commitmmcc@openbsd.org2015-12-111-17/+9
| | | | | | | | Remove NULL-checks before free(). ok dtucker@ Upstream-ID: e3d3cb1ce900179906af36517b5eea0fb15e6ef8
* upstream commitdjm@openbsd.org2015-11-161-30/+57
| | | | | | | | | | | | | | | | | Add a new authorized_keys option "restrict" that includes all current and future key restrictions (no-*-forwarding, etc). Also add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty". This simplifies the task of setting up restricted keys and ensures they are maximally-restricted, regardless of any permissions we might implement in the future. Example: restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1... Idea from Jann Horn; ok markus@ Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0
* upstream commitdjm@openbsd.org2015-07-151-30/+16
| | | | | | | delete support for legacy v00 certificates; "sure" markus@ dtucker@ Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
* upstream commitdjm@openbsd.org2015-05-101-9/+14
| | | | | | | | | Don't make parsing of authorized_keys' environment= option conditional on PermitUserEnv - always parse it, but only use the result if the option is enabled. This prevents the syntax of authorized_keys changing depending on which sshd_config options were enabled. bz#2329; based on patch from coladict AT gmail.com, ok dtucker@
* upstream commitdjm@openbsd.org2015-04-291-2/+2
| | | | | | unknown certificate extensions are non-fatal, so don't fatal when they are encountered; bz#2387 reported by Bob Van Zant; ok dtucker@
* upstream commitmarkus@openbsd.org2015-01-141-44/+39
| | | | swith auth-options to new sshbuf/sshkey; ok djm@
* - millert@cvs.openbsd.org 2014/07/15 15:54:14Damien Miller2014-07-181-2/+3
| | | | | | | | | | | | | | | | [PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h] [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c] [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c] [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c] [sshd_config.5 sshlogin.c] Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
* - djm@cvs.openbsd.org 2014/06/24 01:13:21Damien Miller2014-07-021-7/+7
| | | | | | | | | | | | | | | | | | | | | | | [Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c [sshconnect2.c sshd.c sshkey.c sshkey.h [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h] New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago. NB. This commit also removes portable OpenSSH support for OpenSSL <0.9.8e.
* - djm@cvs.openbsd.org 2013/12/19 00:27:57Damien Miller2013-12-291-7/+7
| | | | | [auth-options.c] simplify freeing of source-address certificate restriction
* - djm@cvs.openbsd.org 2013/11/08 00:39:15Damien Miller2013-11-081-2/+2
| | | | | | | [auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c] [clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c] [sftp-client.c sftp-glob.c] use calloc for all structure allocations; from markus@
* - markus@cvs.openbsd.org 2013/11/02 22:34:01Damien Miller2013-11-031-5/+1
| | | | | [auth-options.c] no need to include monitor_wrap.h and ssh-gss.h
* - djm@cvs.openbsd.org 2013/07/12 00:19:59Damien Miller2013-07-181-3/+5
| | | | | | [auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c] [hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c] fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
* - djm@cvs.openbsd.org 2013/05/17 00:13:13Darren Tucker2013-06-011-30/+30
| | | | | | | | | | | | | | | | | | [xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c dns.c packet.c readpass.c authfd.c moduli.c] bye, bye xfree(); ok markus@
* - djm@cvs.openbsd.org 2012/12/02 20:46:11Damien Miller2012-12-021-2/+2
| | | | | | | | [auth-options.c channels.c servconf.c servconf.h serverloop.c session.c] [sshd_config.5] make AllowTcpForwarding accept "local" and "remote" in addition to its current "yes"/"no" to allow the server to specify whether just local or remote TCP forwarding is enabled. ok markus@
* - djm@cvs.openbsd.org 2011/10/18 04:58:26Damien Miller2011-10-181-15/+1
| | | | | | [auth-options.c key.c] remove explict search for \0 in packet strings, this job is now done implicitly by buffer_get_cstring; ok markus
* - dtucker@cvs.openbsd.org 2011/09/23 00:22:04Darren Tucker2011-10-021-2/+2
| | | | | | [channels.c auth-options.c servconf.c channels.h sshd.8] Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857, ok djm markus.
* - djm@cvs.openbsd.org 2010/12/24 21:41:48Damien Miller2011-01-061-2/+2
| | | | | [auth-options.c] don't send the actual forced command in a debug message; ok markus deraadt
* - djm@cvs.openbsd.org 2010/08/31 09:58:37Damien Miller2010-08-311-4/+4
| | | | | | | | | | | | | | | | [auth-options.c auth1.c auth2.c bufaux.c buffer.h kex.c key.c packet.c] [packet.h ssh-dss.c ssh-rsa.c] Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function. Use the new API in a few sensitive places. * actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
* - djm@cvs.openbsd.org 2010/05/20 23:46:02Damien Miller2010-05-211-102/+180
| | | | | | | | | | [PROTOCOL.certkeys auth-options.c ssh-keygen.c] Move the permit-* options to the non-critical "extensions" field for v01 certificates. The logic is that if another implementation fails to implement them then the connection just loses features rather than fails outright. ok markus@
* - djm@cvs.openbsd.org 2010/05/07 11:30:30Damien Miller2010-05-101-1/+42
| | | | | | | | | | | | | | | | | | | | | | | | [auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c] [key.c servconf.c servconf.h sshd.8 sshd_config.5] add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-18 20:44:41 +0100