1. 17 Jan, 2014 1 commit
  2. 07 Dec, 2013 1 commit
    • Damien Miller's avatar
      - markus@cvs.openbsd.org 2013/12/06 13:39:49 · 5be9d9e3
      Damien Miller authored
           [authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
           [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
           [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
           [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
           [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
           support ed25519 keys (hostkeys and user identities) using the public
           domain ed25519 reference code from SUPERCOP, see
           feedback, help & ok djm@
  3. 21 Nov, 2013 1 commit
  4. 24 Oct, 2013 1 commit
  5. 23 Oct, 2013 3 commits
  6. 17 Oct, 2013 2 commits
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2013/10/16 22:49:39 · 3850559b
      Damien Miller authored
           [readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
           s/canonicalise/canonicalize/ for consistency with existing spelling,
           e.g. authorized_keys; pointed out by naddy@
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2013/10/16 02:31:47 · 0faf747e
      Damien Miller authored
           [readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5]
           [sshconnect.c sshconnect.h]
           Implement client-side hostname canonicalisation to allow an explicit
           search path of domain suffixes to use to convert unqualified host names
           to fully-qualified ones for host key matching.
           This is particularly useful for host certificates, which would otherwise
           need to list unqualified names alongside fully-qualified ones (and this
           causes a number of problems).
           "looks fine" markus@
  7. 15 Oct, 2013 2 commits
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2013/10/14 23:28:23 · e9fc72ed
      Damien Miller authored
           [canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c]
           refactor client config code a little:
           add multistate option partsing to readconf.c, similar to servconf.c's
           existing code.
           move checking of options that accept "none" as an argument to readconf.c
           add a lowercase() function and use it instead of explicit tolower() in
           part of a larger diff that was ok markus@
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2013/10/14 22:22:05 · 194fd904
      Damien Miller authored
           [readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5]
           add a "Match" keyword to ssh_config that allows matching on hostname,
           user and result of arbitrary commands. "nice work" markus@
  8. 20 Aug, 2013 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2013/08/20 00:11:38 · 1262b663
      Damien Miller authored
           [readconf.c readconf.h ssh_config.5 sshconnect.c]
           Add a ssh_config ProxyUseFDPass option that supports the use of
           ProxyCommands that establish a connection and then pass a connected
           file descriptor back to ssh(1). This allows the ProxyCommand to exit
           rather than have to shuffle data back and forth and enables ssh to use
           getpeername, etc. to obtain address information just like it does with
           regular directly-connected sockets. ok markus@
  9. 18 Jul, 2013 1 commit
  10. 05 Jun, 2013 1 commit
  11. 01 Jun, 2013 1 commit
    • Darren Tucker's avatar
      - djm@cvs.openbsd.org 2013/05/17 00:13:13 · a627d42e
      Darren Tucker authored
           [xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
           ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
           gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
           auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
           servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
           auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
           sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
           kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
           kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
           monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
           ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
           sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
           ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
           dns.c packet.c readpass.c authfd.c moduli.c]
           bye, bye xfree(); ok markus@
  12. 16 May, 2013 5 commits
  13. 23 Apr, 2013 1 commit
  14. 05 Apr, 2013 2 commits
  15. 02 Oct, 2011 1 commit
    • Darren Tucker's avatar
      - markus@cvs.openbsd.org 2011/09/23 07:45:05 · 68afb8c5
      Darren Tucker authored
           [mux.c readconf.h channels.h compat.h compat.c ssh.c readconf.c channels.c     version.h]
           unbreak remote portforwarding with dynamic allocated listen ports:
           1) send the actual listen port in the open message (instead of 0).
              this allows multiple forwardings with a dynamic listen port
           2) update the matching permit-open entry, so we can identify where
              to connect to
           report: den at skbkontur.ru and P. Szczygielski
           feedback and ok djm@
  16. 29 May, 2011 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2011/05/24 07:15:47 · 295ee63a
      Damien Miller authored
           [readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c]
           Remove undocumented legacy options UserKnownHostsFile2 and
           GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile
           accept multiple paths per line and making their defaults include
           known_hosts2; ok markus
  17. 14 May, 2011 2 commits
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2011/05/06 21:34:32 · 21771e22
      Damien Miller authored
           [clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5]
           Add a RequestTTY ssh_config option to allow configuration-based
           control over tty allocation (like -t/-T); ok markus@
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2011/05/06 21:31:38 · fe924217
      Damien Miller authored
           [readconf.c ssh_config.5]
           support negated Host matching, e.g.
           Host *.example.org !c.example.org
              User mekmitasdigoat
           Will match "a.example.org", "b.example.org", but not "c.example.org"
           ok markus@
  18. 20 Nov, 2010 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2010/11/13 23:27:51 · 0dac6fb6
      Damien Miller authored
           [clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h]
           [servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5]
           allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of
           hardcoding lowdelay/throughput.
           bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
  19. 24 Sep, 2010 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2010/09/22 05:01:30 · d5f62bf2
      Damien Miller authored
           [kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h]
           [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5]
           add a KexAlgorithms knob to the client and server configuration to allow
           selection of which key exchange methods are used by ssh(1) and sshd(8)
           and their order of preference.
           ok markus@
  20. 10 Sep, 2010 1 commit
  21. 31 Aug, 2010 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2010/08/31 11:54:45 · eb8b60e3
      Damien Miller authored
           [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
           [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
           [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
           [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
           [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
           [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
           [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
           Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
           host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
           better performance than plain DH and DSA at the same equivalent symmetric
           key length, as well as much shorter keys.
           Only the mandatory sections of RFC5656 are implemented, specifically the
           three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
           ECDSA. Point compression (optional in RFC5656 is NOT implemented).
           Certificate host and user keys using the new ECDSA key types are supported.
           Note that this code has not been tested for interoperability and may be
           subject to change.
           feedback and ok markus@
  22. 03 Aug, 2010 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2010/07/19 09:15:12 · e11e1ea5
      Damien Miller authored
           [clientloop.c readconf.c readconf.h ssh.c ssh_config.5]
           add a "ControlPersist" option that automatically starts a background
           ssh(1) multiplex master when connecting. This connection can stay alive
           indefinitely, or can be set to automatically close after a user-specified
           duration of inactivity. bz#1330 - patch by dwmw2 AT infradead.org, but
           further hacked on by wmertens AT cisco.com, apb AT cequrux.com,
           martin-mindrot-bugzilla AT earth.li and myself; "looks ok" markus@
  23. 26 Jun, 2010 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2010/06/25 23:10:30 · 1ab6a51f
      Damien Miller authored
           log the hostname and address that we connected to at LogLevel=verbose
           after authentication is successful to mitigate "phishing" attacks by
           servers with trusted keys that accept authentication silently and
           automatically before presenting fake password/passphrase prompts;
           "nice!" markus@
  24. 25 Jun, 2010 1 commit
  25. 21 May, 2010 1 commit
    • Damien Miller's avatar
      - markus@cvs.openbsd.org 2010/05/16 12:55:51 · 388f6fc4
      Damien Miller authored
           [PROTOCOL.mux clientloop.h mux.c readconf.c readconf.h ssh.1 ssh.c]
           mux support for remote forwarding with dynamic port allocation,
           use with
              LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`
           feedback and ok djm@
  26. 11 Feb, 2010 1 commit
    • Damien Miller's avatar
      - markus@cvs.openbsd.org 2010/02/08 10:50:20 · 7ea845e4
      Damien Miller authored
           [pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c]
           [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5]
           replace our obsolete smartcard code with PKCS#11.
           ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
           provider (shared library) while ssh-agent(1) delegates PKCS#11 to
           a forked a ssh-pkcs11-helper process.
           PKCS#11 is currently a compile time option.
           feedback and ok djm@; inspired by patches from Alon Bar-Lev
  27. 09 Jan, 2010 2 commits
    • Darren Tucker's avatar
      - dtucker@cvs.openbsd.org 2010/01/09 23:04:13 · 7bd98e7f
      Darren Tucker authored
           [channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h
           ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c
           readconf.h scp.1 sftp.1 ssh_config.5 misc.h]
           Remove RoutingDomain from ssh since it's now not needed.  It can be
           replaced with "route exec" or "nc -V" as a proxycommand.  "route exec"
           also ensures that trafic such as DNS lookups stays withing the specified
           routingdomain.  For example (from reyk):
           # route -T 2 exec /usr/sbin/sshd
           or inherited from the parent process
           $ route -T 2 exec sh
           $ ssh
           ok deraadt@ markus@ stevesk@ reyk@
    • Darren Tucker's avatar
      - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c] · 8c65f646
      Darren Tucker authored
         Remove hacks add for RoutingDomain in preparation for its removal.
  28. 08 Jan, 2010 2 commits