src - OpenBSD base system

Age	Commit message (Collapse)	Author
2019-12-30	simplify the list for moduli options - no need for -compact;	Jason McIntyre

2019-12-30	Remove the -x option currently used for FIDO/U2F-specific key flags.	Damien Miller
	Instead these flags may be specified via -O. ok markus@
2019-12-30	document SK API changes in PROTOCOL.u2f	Damien Miller
	ok markus@
2019-12-30	translate and return error codes; retry on bad PIN	Damien Miller
	Define some well-known error codes in the SK API and pass them back via ssh-sk-helper. Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys. feedback and ok markus@
2019-12-30	improve some error messages; ok markus@	Damien Miller

2019-12-30	SK API and sk-helper error/PIN passing	Damien Miller
	Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow. Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc. feedback and ok markus@
2019-12-30	implement loading resident keys in ssh-add	Damien Miller
	"ssh-add -O" will load resident keys from a FIDO2 token and add them to a ssh-agent. feedback and ok markus@
2019-12-30	implement loading of resident keys in ssh-sk-helper	Damien Miller
	feedback and ok markus@
2019-12-30	resident keys support in SK API	Damien Miller
	Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys. Implement support for this in the usbhid middleware. feedback and ok markus@
2019-12-30	Factor out parsing of struct sk_enroll_response	Damien Miller
	We'll reuse this for extracting resident keys from a device. feedback and ok markus@
2019-12-30	basic support for generating FIDO2 resident keys	Damien Miller
	"ssh-keygen -t ecdsa-sk\|ed25519-sk -x resident" will generate a device-resident key. feedback and ok markus@
2019-12-30	remove single-letter flags for moduli options	Damien Miller
	Move all moduli generation options to live under the -O flag. Frees up seven single-letter flags. NB. this change break existing ssh-keygen commandline syntax for moduli- related operations. Very few people use these fortunately. feedback and ok markus@
2019-12-30	prepare for use of ssh-keygen -O flag beyond certs	Damien Miller
	Move list of available certificate options in ssh-keygen.1 to the CERTIFICATES section. Collect options specified by -O but delay parsing/validation of certificate options until we're sure that we're acting as a CA. ok markus@
2019-12-27	sort -Y internally in the options list, as is already done in synopsis;	Jason McIntyre

2019-12-27	in the options list, sort -Y and -y;	Jason McIntyre

2019-12-21	Replace the term "security key" with "(FIDO) authenticator".	Christian Weisgerber
	The polysemous use of "key" was too confusing. Input from markus@. ok jmc@
2019-12-21	Allow forwarding a different agent socket to the path specified by	Damien Miller
	$SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no. Patch by Eric Chiang, manpage by me; ok markus@
2019-12-20	SSH U2F keys can now be used as host keys. Fix a garden path sentence.	Christian Weisgerber
	ok markus@
2019-12-20	Move always unsupported keywords to be grouped with the other ones.	Darren Tucker
	Move oSecurityProvider to match the order in the OpCodes enum. Patch from openbsd@academicsolutions.ch, ok djm@
2019-12-20	Remove obsolete opcodes from the configuation enum. Patch from	Darren Tucker
	openbsd@academicsolutions.ch, ok djm@
2019-12-20	Remove now-obsolete config options from example in comment. Patch from	Darren Tucker
	openbsd@academicsolutions.ch, ok djm@
2019-12-19	Document that security key-hosted keys can act as host keys.	Christian Weisgerber
	Update the list of default host key algorithms in ssh_config.5 and sshd_config.5. Copy the description of the SecurityKeyProvider option to sshd_config.5. ok jmc@
2019-12-19	"Forward security" -> "Forward secrecy" since that's the correct term.	Darren Tucker
	Add "MAC" since we use that acronym in other man pages. ok naddy@
2019-12-17	cut obsolete lists of crypto algorithms from outline of how SSH works	Christian Weisgerber
	ok markus@ jmc@
2019-12-16	strdup may return NULL if memory allocation fails. Use the safer xstrdup	tobhe
	which fatals on allocation failures. ok markus@
2019-12-16	sort sk-* methods behind their plain key methods cousins for now	Damien Miller

2019-12-15	don't treat HostKeyAgent=none as a path either; avoids spurious	Damien Miller
	warnings from the cfgparse regress test
2019-12-15	do not attempt to find an absolute path for sshd_config	Damien Miller
	SecurityKeyProvider=internal - unbreaks cfgparse regress test
2019-12-15	allow ssh-keyscan to find security key hostkeys	Damien Miller

2019-12-15	allow security keys to act as host keys as well as user keys.	Damien Miller
	Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk. ok markus@
2019-12-13	actually commit the ssh-sk-helper client code; ok markus	Damien Miller

2019-12-13	perform security key enrollment via ssh-sk-helper too. This means	Damien Miller
	that ssh-keygen no longer needs to link against ssh-sk-helper, and only ssh-sk-helper needs libfido2 and /dev/uhid* access; feedback & ok markus@
2019-12-13	allow sshbuf_put_stringb(buf, NULL); ok markus@	Damien Miller

2019-12-13	use ssh-sk-helper for all security key signing operations	Damien Miller
	This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid* requested by, feedback and ok markus@
2019-12-11	add a note about the 'extensions' field in the signed object	Damien Miller

2019-12-10	some more corrections for documentation problems spotted by Ron Frederick	Damien Miller
	document certifiate private key format correct flags type for sk-ssh-ed25519@openssh.com keys
2019-12-10	loading security keys into ssh-agent used the extension constraint	Damien Miller
	"sk-provider@openssh.com", not "sk@openssh.com"; spotted by Ron Frederick
2019-12-10	add security key types to list of keys allowed to act as CAs;	Damien Miller
	spotted by Ron Frederick
2019-12-10	when acting as a CA and using a security key as the CA key, remind the	Damien Miller
	user to touch they key to authorise the signature.
2019-12-10	chop some unnecessary and confusing verbiage from the security key	Damien Miller
	protocol description; feedback from Ron Frederick
2019-12-06	fix setting of $SSH_ASKPASS_PROMPT - it shouldn't be set when asking	Damien Miller
	passphrases, only when confirming the use of a key (i.e. for ssh-agent keys added with "ssh-add -c keyfile")
2019-12-06	bring the __func__	Damien Miller

2019-11-30	tweak the Nd lines for a bit of consistency;	Jason McIntyre
	ok markus
2019-11-29	perform hashing directly in crypto_hash_sha512() using libcrypto or	Damien Miller
	libc SHA512 functions rather than calling ssh_digest_memory(); avoids many dependencies on ssh code that complicate standalone use of ed25519, as we want to do in sk-dummy.so
2019-11-28	improve the text for -A a little;	Jason McIntyre
	input from naddy and djm
2019-11-28	reshuffle the text to read better;	Jason McIntyre
	input from naddy, djmc, and dtucker
2019-11-28	tweak wording	Damien Miller

2019-11-27	remove stray semicolon after closing brace of function;	Damien Miller
	from Michael Forney
2019-11-27	Revert previous commit. The channels code still uses int in many places	Darren Tucker
	for channel ids so the INT_MAX check still makes sense.
2019-11-27	use error()+_exit() instead of fatal() to avoid running cleanup	Damien Miller
	handlers in child process; spotted via weird regress failures in portable