1. 20 Oct, 2018 1 commit
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 72b1d308
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2018-10-20
      
      Patch-Name: gssapi.patch
      72b1d308
  2. 24 Aug, 2018 1 commit
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · e6c7c11a
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2018-08-24
      
      Patch-Name: gssapi.patch
      e6c7c11a
  3. 03 Apr, 2018 1 commit
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · cb427e23
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2017-10-04
      
      Patch-Name: gssapi.patch
      cb427e23
  4. 04 Oct, 2017 1 commit
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 4e704909
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2017-10-04
      
      Patch-Name: gssapi.patch
      4e704909
  5. 29 Mar, 2017 1 commit
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · d51c7ac3
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2017-01-16
      
      Patch-Name: gssapi.patch
      d51c7ac3
  6. 16 Jan, 2017 1 commit
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 48fbb156
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2017-01-16
      
      Patch-Name: gssapi.patch
      48fbb156
  7. 28 Dec, 2016 1 commit
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 40ab38b3
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2016-12-28
      
      Patch-Name: gssapi.patch
      40ab38b3
  8. 23 Dec, 2016 1 commit
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 9f717de1
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2016-08-07
      
      Patch-Name: gssapi.patch
      9f717de1
  9. 07 Aug, 2016 1 commit
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · eecddf8b
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2016-08-07
      
      Patch-Name: gssapi.patch
      eecddf8b
  10. 07 Mar, 2016 1 commit
    • djm@openbsd.org's avatar
      upstream commit · 95767262
      djm@openbsd.org authored
      refactor canohost.c: move functions that cache results closer
       to the places that use them (authn and session code). After this, no state is
       cached in canohost.c
      
      feedback and ok markus@
      
      Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
      95767262
  11. 21 Jun, 2009 2 commits
  12. 14 Feb, 2009 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2009/02/12 03:00:56 · 4bf648f7
      Damien Miller authored
           [canohost.c canohost.h channels.c channels.h clientloop.c readconf.c]
           [readconf.h serverloop.c ssh.c]
           support remote port forwarding with a zero listen port (-R0:...) to
           dyamically allocate a listen port at runtime (this is actually
           specified in rfc4254); bz#1003 ok markus@
      4bf648f7
  13. 26 Mar, 2006 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2006/03/25 22:22:43 · 51096383
      Damien Miller authored
           [atomicio.h auth-options.h auth.h auth2-gss.c authfd.h authfile.h]
           [bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h]
           [compat.h compress.h crc32.c crc32.h deattack.h dh.h dispatch.h]
           [dns.c dns.h getput.h groupaccess.h gss-genr.c gss-serv-krb5.c]
           [gss-serv.c hostfile.h includes.h kex.h key.h log.h mac.h match.h]
           [misc.h monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h msg.h]
           [myproposal.h packet.h pathnames.h progressmeter.h readconf.h rsa.h]
           [scard.h servconf.h serverloop.h session.h sftp-common.h sftp.h]
           [ssh-gss.h ssh.h ssh1.h ssh2.h sshconnect.h sshlogin.h sshpty.h]
           [ttymodes.h uidswap.h uuencode.h xmalloc.h]
           standardise spacing in $OpenBSD$ tags; requested by deraadt@
      51096383
  14. 02 Feb, 2005 1 commit
  15. 04 Jul, 2001 2 commits
    • Ben Lindstrom's avatar
      - markus@cvs.openbsd.org 2001/06/26 17:27:25 · 4cc240da
      Ben Lindstrom authored
           [authfd.h authfile.h auth.h auth-options.h bufaux.h buffer.h
            canohost.h channels.h cipher.h clientloop.h compat.h compress.h
            crc32.h deattack.h dh.h dispatch.h groupaccess.c groupaccess.h
            hostfile.h kex.h key.h log.c log.h mac.h misc.c misc.h mpaux.h
            packet.h radix.h readconf.h readpass.h rsa.h servconf.h serverloop.h
            session.h sftp-common.c sftp-common.h sftp-glob.h sftp-int.h
            sshconnect.h ssh-dss.h sshlogin.h sshpty.h ssh-rsa.h sshtty.h
            tildexpand.h uidswap.h uuencode.h xmalloc.h]
           remove comments from .h, since they are cut&paste from the .c files
           and out of sync
      4cc240da
    • Ben Lindstrom's avatar
      - itojun@cvs.openbsd.org 2001/06/26 06:32:58 · 16ae3d0d
      Ben Lindstrom authored
           [atomicio.h authfd.h authfile.h auth.h auth-options.h bufaux.h
            buffer.h canohost.h channels.h cipher.h clientloop.h compat.h
            compress.h crc32.h deattack.h dh.h dispatch.h groupaccess.h
            hostfile.h kex.h key.h log.h mac.h match.h misc.h mpaux.h packet.h
            radix.h readconf.h readpass.h rsa.h]
           prototype pedant.  not very creative...
           - () -> (void)
           - no variable names
      16ae3d0d
  16. 12 Apr, 2001 1 commit
    • Ben Lindstrom's avatar
      - markus@cvs.openbsd.org 2001/04/12 19:15:26 · 5eabda30
      Ben Lindstrom authored
           [auth-rhosts.c auth.h auth2.c buffer.c canohost.c canohost.h
            compat.c compat.h hostfile.c pathnames.h readconf.c readconf.h
            servconf.c servconf.h ssh.c sshconnect.c sshconnect.h sshconnect1.c
            sshconnect2.c sshd_config]
           implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2)
           similar to RhostRSAAuthentication unless you enable (the experimental)
           HostbasedUsesNameFromPacketOnly option.  please test. :)
      5eabda30
  17. 05 Apr, 2001 1 commit
  18. 04 Feb, 2001 1 commit
    • Damien Miller's avatar
      · 33804263
      Damien Miller authored
      NB: big update - may break stuff. Please test!
      
       - (djm) OpenBSD CVS sync:
         - markus@cvs.openbsd.org  2001/02/03 03:08:38
           [auth-options.c auth-rh-rsa.c auth-rhosts.c auth.c canohost.c]
           [canohost.h servconf.c servconf.h session.c sshconnect1.c sshd.8]
           [sshd_config]
           make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@
         - markus@cvs.openbsd.org  2001/02/03 03:19:51
           [ssh.1 sshd.8 sshd_config]
           Skey is now called ChallengeResponse
         - markus@cvs.openbsd.org  2001/02/03 03:43:09
           [sshd.8]
           use no-pty option in .ssh/authorized_keys* if you need a 8-bit clean
           channel. note from Erik.Anggard@cygate.se (pr/1659)
         - stevesk@cvs.openbsd.org 2001/02/03 10:03:06
           [ssh.1]
           typos; ok markus@
         - djm@cvs.openbsd.org     2001/02/04 04:11:56
           [scp.1 sftp-server.c ssh.1 sshd.8 sftp-client.c sftp-client.h]
           [sftp-common.c sftp-common.h sftp-int.c sftp-int.h sftp.1 sftp.c]
           Basic interactive sftp client; ok theo@
       - (djm) Update RPM specs for new sftp binary
       - (djm) Update several bits for new optional reverse lookup stuff. I
         think I got them all.
      33804263
  19. 29 Jan, 2001 2 commits
    • Damien Miller's avatar
      - (djm) OpenBSD CVS Sync: · d83ff35d
      Damien Miller authored
         - markus@cvs.openbsd.org  2001/01/29 12:42:35
           [canohost.c canohost.h channels.c clientloop.c]
           add get_peer_ipaddr(socket), x11-fwd in ssh2 requires ipaddr, not DNS
      d83ff35d
    • Ben Lindstrom's avatar
      - niklas@cvs.openbsd.org 2001/01/2001 · 36579d3d
      Ben Lindstrom authored
           [atomicio.h canohost.h clientloop.h deattack.h dh.h dispatch.h
            groupaccess.c groupaccess.h hmac.h hostfile.h includes.h kex.h
            key.h log.h login.h match.h misc.h myproposal.h nchan.ms pathnames.h
            radix.h readpass.h rijndael.h serverloop.h session.h sftp.h ssh-add.1
            ssh-dss.h ssh-keygen.1 ssh-keyscan.1 ssh-rsa.h ssh1.h ssh_config
            sshconnect.h sshd_config tildexpand.h uidswap.h uuencode.h]
           $OpenBSD$
      36579d3d
  20. 22 Jan, 2001 1 commit
    • Ben Lindstrom's avatar
      Hopefully things did not get mixed around too much. It compiles under · 226cfa03
      Ben Lindstrom authored
      Linux and works.  So that is at least a good sign. =)
      20010122
       - (bal) OpenBSD Resync
         - markus@cvs.openbsd.org 2001/01/19 12:45:26 GMT 2001 by markus
           [servconf.c ssh.h sshd.c]
           only auth-chall.c needs #ifdef SKEY
         - markus@cvs.openbsd.org 2001/01/19 15:55:10 GMT 2001 by markus
           [auth-krb4.c auth-options.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c
            auth1.c auth2.c channels.c clientloop.c dh.c dispatch.c nchan.c
            packet.c pathname.h readconf.c scp.c servconf.c serverloop.c
            session.c ssh-add.c ssh-keygen.c ssh-keyscan.c ssh.c ssh.h
            ssh1.h sshconnect1.c sshd.c ttymodes.c]
           move ssh1 definitions to ssh1.h, pathnames to pathnames.h
         - markus@cvs.openbsd.org 2001/01/19 16:48:14
           [sshd.8]
           fix typo; from stevesk@
         - markus@cvs.openbsd.org 2001/01/19 16:50:58
           [ssh-dss.c]
           clear and free digest, make consistent with other code (use dlen); from
           stevesk@
         - markus@cvs.openbsd.org 2001/01/20 15:55:20 GMT 2001 by markus
           [auth-options.c auth-options.h auth-rsa.c auth2.c]
           pass the filename to auth_parse_options()
         - markus@cvs.openbsd.org 2001/01/20 17:59:40 GMT 2001
           [readconf.c]
           fix SIGSEGV from -o ""; problem noted by jehsom@togetherweb.com
         - stevesk@cvs.openbsd.org 2001/01/20 18:20:29
           [sshconnect2.c]
           dh_new_group() does not return NULL.  ok markus@
         - markus@cvs.openbsd.org 2001/01/20 21:33:42
           [ssh-add.c]
           do not loop forever if askpass does not exist; from
           andrew@pimlott.ne.mediaone.net
         - djm@cvs.openbsd.org 2001/01/20 23:00:56
           [servconf.c]
           Check for NULL return from strdelim; ok markus
         - djm@cvs.openbsd.org 2001/01/20 23:02:07
           [readconf.c]
           KNF; ok markus
         - jakob@cvs.openbsd.org 2001/01/21 9:00:33
           [ssh-keygen.1]
           remove -R flag; ok markus@
         - markus@cvs.openbsd.org 2001/01/21 19:05:40
           [atomicio.c automicio.h auth-chall.c auth-krb4.c auth-options.c
            auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c
            auth.c auth.h auth1.c auth2-chall.c auth2.c authfd.c authfile.c
            bufaux.c  bufaux.h buffer.c canahost.c canahost.h channels.c
            cipher.c cli.c clientloop.c clientloop.h compat.c compress.c
            deattack.c dh.c dispatch.c groupaccess.c hmac.c hostfile.c kex.c
            key.c key.h log-client.c log-server.c log.c log.h login.c login.h
            match.c misc.c misc.h nchan.c packet.c pty.c radix.h readconf.c
            readpass.c readpass.h rsa.c scp.c servconf.c serverloop.c serverloop.h
            session.c sftp-server.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c
            ssh-keyscan.c ssh-rsa.c ssh.c ssh.h sshconnect.c sshconnect.h
            sshconnect1.c sshconnect2.c sshd.c tildexpand.c tildexpand.h
            ttysmodes.c uidswap.c xmalloc.c]
           split ssh.h and try to cleanup the #include mess. remove unnecessary
           #includes.  rename util.[ch] -> misc.[ch]
       - (bal) renamed 'PIDDIR' to '_PATH_SSH_PIDDIR' to match OpenBSD tree
       - (bal) Moved #ifdef KRB4 in auth-krb4.c above the #include to resolve
         conflict when compiling for non-kerb install
       - (bal) removed the #ifdef SKEY in auth1.c to match Markus' changes
         on 1/19.
      226cfa03