| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
messages. allows use of s/key in windows (ttssh, securecrt) and
ssh-1.2.27 clients without 'ssh -v', ok: niels@
|
|
* Unified Logmessage for all auth-types, for success and for failed
* Standard connections get only ONE line in the LOG when level==LOG:
Auth-attempts are logged only, if authentication is:
a) successfull or
b) with passwd or
c) we had more than AUTH_FAIL_LOG failues
* many log() became verbose()
* old behaviour with level=VERBOSE
|
|
factor out common log-level parsing code.
|
|
a few more checks and warnings about 'pretended' keysizes.
|
|
and 'extern ServerOptions options' respectively;
options are no longer passed as arguments:
* make options handling more consistent
* remove #include "readconf.h" from ssh.h
* readconf.h is only included if necessary
|
|
|
|
obsoletes QuietMode and FascistLogging in sshd.
|
|
|
|
|
|
Don't let child access std{in,out,err}
|
|
|
|
interops (x11,agent,etc) with 1.2.27 and protocol 1.3
|
|
|
|
by removing the connect() junk, with the following restrictions:
1) change the version to "OpenSSH-1.1":
agent-forwarding will work only between OpenSSH-1.1 client and
OpenSSH-1.1 server
2) renamed the environment variable of OpenSSH-1.1 to
"SSH_AUTH_SOCKET", since useing OpenSSH-1.0 ssh-add against the new
ssh-agent does not work
|
|
don't load private keys if they are group/world-{rwx} (ssh,sshd and ssh-add)
|
|
1) pass *pw to auth_password() not user_name, do_authentication already
keeps private copy of struct passwd for current user.
2) limit authentication attemps to 5, otherwise
ssh -o 'NumberOfPasswordPrompts 100000' host
lets you enter 100000 passwds
3) make s/key a run-time option in /etc/sshd_config
4) generate fake skeys,
for s/key for nonexisting users, too
limit auth-tries for nonexisting users, too.
Note that
% ssh -l nonexisting-user -o 'NumberOfPasswordPrompts 100000' host
has NO limits in ssh-1.2.27
|
|
delete minfd residua
|
|
|
|
the main idea is to not only store the host key for the hostname but
also for the according IP address. When we check the host key in the
known_hosts file, we also check the key against the according IP address.
When the server key changes, host_status = HOST_CHANGED. If
check_host_in_hostfile() returns differing status for the IP address
that means that either DNS was spoofed or that the IP address
for the host and the host key changed at the same time.
|
|
just spit out a warning that the configuration option is obsolete.
|
|
unused variables, update manpages
|
|
convert all used of rsa to SSL rsa functions
remove all use of randomstate to OpenBSD arc4random() and arc4_stir()
all this done at a long long night in Canada.
|
|
|
|
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.
|
