| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2010-05-14 | check that the certificate matches the corresponding private key before | Damien Miller | |
| grafting it on | |||
| 2010-05-11 | don't accept certificates marked as "cert-authority" here; ok markus@ | Damien Miller | |
| 2010-05-07 | tweak previous; | Jason McIntyre | |
| 2010-05-07 | add some optional indirection to matching of principal names listed | Damien Miller | |
| in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@ | |||
| 2010-05-05 | restore mput and mget which got lost in the tab-completion changes. | Darren Tucker | |
| found by Kenneth Whitaker, ok djm@ | |||
| 2010-05-01 | typo; jmeltzer@ | Damien Miller | |
| 2010-04-26 | bz#1502: authctxt.success is declared as an int, but passed by | Damien Miller | |
| reference to function that accepts sig_atomic_t*. Convert it to the latter; ok markus@ dtucker@ | |||
| 2010-04-23 | refuse to generate keys longer than OPENSSL_[RD]SA_MAX_MODULUS_BITS, | Damien Miller | |
| since we would refuse to use them anyway. bz#1516; ok dtucker@ | |||
| 2010-04-23 | set stderr to /dev/null for subsystems rather than just closing it. | Damien Miller | |
| avoids hangs if a subsystem or shell initialisation writes to stderr. bz#1750; ok markus@ | |||
| 2010-04-23 | set "detach_close" flag when registering channel cleanup callbacks. | Damien Miller | |
| This causes the channel to close normally when its fds close and hangs when terminating a mux slave using ~. bz#1758; ok markus@ | |||
| 2010-04-23 | bz#1740: display a more helpful error message when $HOME is | Damien Miller | |
| inaccessible while trying to create .ssh directory. Based on patch from jchadima AT redhat.com; ok dtucker@ | |||
| 2010-04-16 | oops, %r => remote username, not %u | Damien Miller | |
| 2010-04-16 | tweak previous; ok djm | Jason McIntyre | |
| 2010-04-16 | tweak previous; ok djm | Jason McIntyre | |
| 2010-04-16 | revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the | Damien Miller | |
| following changes: move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash Rename "constraints" field to "critical options" Add a new non-critical "extensions" field Add a serial number The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) ok markus@ | |||
| 2010-04-15 | retry lookup for private key if there's no matching key with CKA_SIGN | Markus Friedl | |
| attribute enabled; this fixes fixes MuscleCard support (bugzilla #1736) ok djm@ | |||
| 2010-04-14 | expand %r => remote username in ssh_config:ProxyCommand; | Damien Miller | |
| ok deraadt markus | |||
| 2010-04-10 | fix NULL dereference; from matthew.haub AT alumni.adelaide.edu.au | Damien Miller | |
| 2010-04-10 | show the key type that we are offering in debug(), helps distinguish | Damien Miller | |
| between certs and plain keys as the path to the private key is usually the same. | |||
| 2010-04-10 | bz#1698: kill channel when pty allocation requests fail. Fixed | Damien Miller | |
| stuck client if the server refuses pty allocation. ok dtucker@ "think so" markus@ | |||
| 2010-04-10 | fix terminology: we didn't find a certificate in known_hosts, we found | Damien Miller | |
| a CA key | |||
| 2010-04-10 | bz#1746 - suppress spurious tty warning when using -O and stdin | Damien Miller | |
| is not a tty; ok dtucker@ markus@ | |||
| 2010-03-27 | tweak previous; ok dtucker | Jason McIntyre | |
| 2010-03-26 | tweak previous; | Jason McIntyre | |
| 2010-03-26 | allow buffer_get_int_ret/buffer_get_int64_ret to take a NULL pointer | Damien Miller | |
| argument to allow skipping past values in a buffer | |||
| 2010-03-26 | Reformat default value of PreferredAuthentications entry (current formatting | Darren Tucker | |
| implies ", " is acceptable as a separator, which it's not. ok djm@ | |||
| 2010-03-26 | mention that -S none disables connection sharing; from Colin Watson | Damien Miller | |
| 2010-03-25 | from portable: getcwd(NULL, 0) doesn't work on all platforms, so | Damien Miller | |
| use a stack buffer; ok dtucker@ | |||
| 2010-03-16 | crank version to openssh-5.5 since we have a few fixes since 5.4; | Damien Miller | |
| requested deraadt@ kettenis@ | |||
| 2010-03-16 | spelling in error message. ok djm kettenis | Kevin Steves | |
| 2010-03-15 | also print certificate type (user or host) for ssh-keygen -L | Kevin Steves | |
| ok djm kettenis | |||
| 2010-03-13 | fix a formatting error (args need quoted); noted by stevesk | Jason McIntyre | |
| 2010-03-13 | Certificates are named *-cert.pub, not *_cert.pub; committing a diff | Damien Miller | |
| from stevesk@ ok me | |||
| 2010-03-13 | protocol conformance fix: send language tag when disconnecting normally; | Damien Miller | |
| spotted by 1.41421 AT gmail.com, ok markus@ deraadt@ | |||
| 2010-03-12 | do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths | Markus Friedl | |
| free() (not xfree()) the buffer returned by getcwd() | |||
| 2010-03-12 | unbreak AuthorizedKeys option with a $HOME-relative path; reported by | Damien Miller | |
| vinschen AT redhat.com, ok dtucker@ | |||
| 2010-03-10 | correct certificate logging and make it more consistent between | Damien Miller | |
| authorized_keys and TrustedCAKeys; ok markus@ | |||
| 2010-03-10 | typos; from Ross Richardson | Jason McIntyre | |
| closes prs 6334 and 6335 | |||
| 2010-03-08 | sort the list of constraints (to -O); ok djm | Jason McIntyre | |
| 2010-03-08 | document permit-agent-forwarding certificate constraint; patch from | Damien Miller | |
| stevesk@ | |||
| 2010-03-07 | make internal strptime string match strftime format; | Damien Miller | |
| suggested by vinschen AT redhat.com and markus@ | |||
| 2010-03-07 | openssh-5.4 | Damien Miller | |
| 2010-03-07 | Hold authentication debug messages until after successful authentication. | Darren Tucker | |
| Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@ | |||
| 2010-03-05 | mention loading of certificate files from [private]-cert.pub when | Damien Miller | |
| they are present; feedback and ok jmc@ | |||
| 2010-03-05 | document certificate authentication; help/ok djm | Jason McIntyre | |
| 2010-03-05 | tweak previous; | Jason McIntyre | |
| 2010-03-05 | make the warning for a revoked key louder and more noticable | Damien Miller | |
| 2010-03-04 | "force-command" is not spelled "forced-command"; spotted by | Damien Miller | |
| imorgan AT nas.nasa.gov | |||
| 2010-03-04 | move section on CA and revoked keys from ssh.1 to sshd.8's known hosts | Damien Miller | |
| format section and rework it a bit; requested by jmc@ | |||
| 2010-03-04 | missing word; spotted by jmc@ | Damien Miller | |
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |