summaryrefslogtreecommitdiff
path: root/usr.bin/ssh
AgeCommit message (Collapse)Author
2019-01-27add -T to usage();Jason McIntyre
2019-01-26check in scp client that filenames sent during remote->local directoryDamien Miller
copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted files due to differences between client and server wildcard expansion rules. For this reason, this also adds a new -T flag to disable the check. reported by Harry Sintonen fix approach suggested by markus@; has been in snaps for ~1wk courtesy deraadt@
2019-01-26make ssh-keyscan return a non-zero exit status if it finds no keys.Damien Miller
bz#2903
2019-01-24Accept the host key fingerprint as a synonym for "yes" when acceptingDarren Tucker
an unknown host key. This allows you to paste a fingerprint obtained out of band into the yes/no prompt and have the client do the comparison for you. ok markus@ djm@
2019-01-24Have progressmeter force an update at the beginning and end of eachDarren Tucker
transfer. Fixes the problem recently introduces where very quick transfers do not display the progressmeter at all. Spotted by naddy@
2019-01-24Check for both EAGAIN and EWOULDBLOCK. This is a no-op in OpenBSDDarren Tucker
(they are the same value) but makes things easier in -portable where they may be distinct values. "sigh ok" deraadt@
2019-01-24Always initialize 2nd arg to hpdelim2. It populates that *ONLY IF*Darren Tucker
there's a delimiter. If there's not (the common case) it checked uninitialized memory, which usually passed, but if not would cause spurious failures when the uninitialized memory happens to contain "/". ok deraadt.
2019-01-23Remove support for obsolete host/port syntax.Darren Tucker
host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH now supports for some things. Remove the slash notation from ListenAddress and PermitOpen. bz#2335, patch from jjelen at redhat.com, ok markus@
2019-01-23Remove duplicate word. bz#2958, patch from jjelen at redhat.comDarren Tucker
2019-01-23Remove 3 as a guess for possible generator during moduli generation.Darren Tucker
It's not mentioned in RFC4419 and it's not possible for Sophie-Germain primes greater than 5. bz#2330, from Christian Wittenhorst , ok djm@ tb@
2019-01-23Sanitize scp filenames via snmprintf. To do this we move theDarren Tucker
progressmeter formatting outside of signal handler context and have the atomicio callback called for EINTR too. bz#2434 with contributions from djm and jjelen at redhat.com, ok djm@
2019-01-23allow auto-incrementing certificate serial number for certs signedDamien Miller
in a single commandline.
2019-01-23move a bunch of global flag variables to main(); make the rest staticDamien Miller
2019-01-23switch mainloop from select(2) to poll(2); ok deraadt@Damien Miller
2019-01-23pass most arguments to the KEX hash functions as sshbuf ratherDamien Miller
than pointer+length; ok markus@
2019-01-22backoff reading messages from active connections when the input bufferDamien Miller
is too full to read one, or if the output buffer is too full to enqueue a response; feedback & ok dtucker@
2019-01-22add -m to usage(); reminded by jmc@Damien Miller
2019-01-22Correct some bugs in PKCS#11 token PIN handling at initial login,Damien Miller
the attempt at reading the PIN could be skipped in some cases especially on devices with integrated PIN readers. based on patch from Daniel Kucera in bz#2652; ok markus@
2019-01-22Support keys that set the CKA_ALWAYS_AUTHENTICATE by requring aDamien Miller
fresh login after the C_SignInit operation. based on patch from Jakub Jelen in bz#2638; ok markus
2019-01-22Mention that configuration for the destination host is not appliedDamien Miller
to any ProxyJump/-J hosts. This has confused a few people...
2019-01-22Include -m in the synopsis for a few more commands that support itDamien Miller
Be more explicit in the description of -m about where it may be used Prompted by Jakub Jelen in bz2904
2019-01-22print the full pubkey being attempted at loglevel >= debug2; bz2939Damien Miller
2019-01-22clarify: ssh-keygen -e only writes public keys, never privateDamien Miller
2019-01-22mention the new vs. old key formats in the introduction and give someDamien Miller
hints on how keys may be converted or written in the old format.
2019-01-22tweak previous;Jason McIntyre
2019-01-21Forgot to add -J to the synopsis.Theo Buehler
2019-01-21Add a -J option as a shortcut for -o Proxyjump= to scp(1) and sftp(1)Theo Buehler
to match ssh(1)'s interface. ok djm
2019-01-21switch sntrup implementation source from supercop to libpqcrypto;Damien Miller
the latter is almost identical but doesn't rely on signed underflow to implement an optimised integer sort; from markus@
2019-01-21add "-v" flags to ssh-add and ssh-pkcs11-helper to turn up debugDamien Miller
verbosity. Make ssh-agent turn on ssh-pkcs11-helper's verbosity when it is run in debug mode ("ssh-agent -d"), so we get to see errors from the PKCS#11 code. ok markus@
2019-01-21fix reversed arguments to kex_load_hostkey(); manifested as errors inDamien Miller
cert-hostkey.sh regress failures.
2019-01-21forgot to cvs add this file in previous series of commits; grrrDamien Miller
2019-01-21nothing shall escape this purgeDamien Miller
2019-01-21rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamedDamien Miller
to kexgen from markus@ ok djm@
2019-01-21merge kexkem[cs] into kexgenDamien Miller
from markus@ ok djm@
2019-01-21pass values used in KEX hash computation as sshbuf rather thanDamien Miller
pointer+len suggested by me; implemented by markus@ ok me
2019-01-21remove kex_derive_keys_bn wrapper; no unused since the DH-like KEXDamien Miller
methods have moved to KEM from markus@ ok djm@
2019-01-21use KEM API for vanilla ECDHDamien Miller
from markus@ ok djm@
2019-01-21use KEM API for vanilla DH KEXDamien Miller
from markus@ ok djm@
2019-01-21use KEM API for vanilla c25519 KEXDamien Miller
2019-01-21Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.orgDamien Miller
using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default. introduce KEM API; a simplified framework for DH-ish KEX methods. from markus@ feedback & ok djm@
2019-01-21factor out kex_verify_hostkey() - again, duplicated almost exactlyDamien Miller
across client and server for several KEX methods. from markus@ ok djm@
2019-01-21factor out kex_load_hostkey() - this is duplicated in both the client andDamien Miller
server implementations for most KEX methods. from markus@ ok djm@
2019-01-21factor out kex_dh_compute_key() - it's shared between plain DH KEX andDamien Miller
DH GEX in both the client and server implementations from markus@ ok djm@
2019-01-21factor out DH keygen; it's identical between the client and the serverDamien Miller
from markus@ ok djm@
2019-01-21save the derived session id in kex_derive_keys() rather than making eachDamien Miller
kex method implementation do it. from markus@ ok djm@
2019-01-21Make sshpkt_get_bignum2() allocate the bignum it is parsing ratherDamien Miller
than make the caller do it. Saves a lot of boilerplate code. from markus@ ok djm@
2019-01-21remove obsolete (SSH v.1) sshbuf_get/put_bignum1 functionsDamien Miller
from markus@ ok djm@
2019-01-21fix all-zero check in kexc25519_shared_keyDamien Miller
from markus@ ok djm@
2019-01-21- -T was added to the first synopsis by mistakeJason McIntyre
- since "..." denotes optional, no need to surround it in [] ok djm
2019-01-21always print the caller's error message in ossl_error(), even when thereDamien Miller
are no libcrypto errors to report.
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-16 00:57:35 +0000