| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
OpenBSD-Commit-ID: d297e4387935d4aef091c5e9432578c2e513f538
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
code returned to fall back only if necessary. Avoids PIN prompts for FIDO
tokens that don't require them; part of GHPR#302
OpenBSD-Commit-ID: 4f752aaf9f2e7c28bcaaf3d4f8fc290131bd038e
|
| |
|
|
|
|
| |
resident key (introduced in r1.40)
OpenBSD-Commit-ID: 4cab364d518470e29e624af3d3f9ffa9c92b6f01
|
| |
|
|
|
|
|
| |
ssh-keyscan and prevent a one-byte buffer overflow. Patch from Qualys, ok
djm@
OpenBSD-Commit-ID: 6ae664f9f4db6e8a0589425f74cd0bbf3aeef4e4
|
| | |
|
| | |
|
| |
|
|
|
|
| |
In addition to installing the requisite Cygwin packages, we also need to
explicitly invoke "sh" for steps that run other scripts since the runner
environment doesn't understand #! paths.
|
| |
|
|
| |
OpenBSD-Commit-ID: 39f35e16ba878c8d02b4d01d8826d9b321be26d4
|
| |
|
|
|
|
| |
Ubuntu 22.04 defaults to private home dirs which prevents "nobody"
running ssh-add during the agent-getpeereid test. Check for this and
add the necessary permissions.
|
| |
|
|
|
|
|
| |
If no FIDO device was explictly specified, then prefer the
windows://hello FIDO device. An exception to this is when
probing resident FIDO keys, in which case hardware FIDO
devices are preferred.
|
| |
|
|
|
|
|
| |
probing for a FIDO resident key or not. Unused here, but will make like
easier for portable
OpenBSD-Commit-ID: 432c8ff70e270378df9dbceb9bdeaa5b43b5a832
|
| |
|
|
| |
OpenBSD-Commit-ID: 7f80a53d54857ac6ae49ea6ad93c5bd12231d1e4
|
| |
|
|
|
|
|
|
|
| |
Cygwin now comes with libfido2 1.11.0, so this workaround
isn't required anymore.
This reverts commit 242c044ab111a37aad3b0775727c36a4c5f0102c.
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
|
| |
|
|
|
|
|
| |
"false" is not used anywhere in OpenSSH, so return 0 like
everywhere else.
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add support to the sftp-server for the home-directory extension defined
in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the
existing expand-path@openssh.com, but uses a more official protocol name,
and so is a bit more likely to be implemented by non-OpenSSH clients.
From Mike Frysinger, ok dtucker@
OpenBSD-Commit-ID: bfc580d05cc0c817831ae7ecbac4a481c23566ab
|
| | |
|
| |
|
|
| |
Fixes build on (at least Solaris 10).
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Valgrind doesn't let ssh exec ssh-keysign (because it's setuid) so skip
it during the Valgrind based tests.
See https://bugs.kde.org/show_bug.cgi?id=119404 for a discussion of this
(ironically there the problematic binary was ssh(1) back when it could
still be setuid).
|
| |
|
|
|
|
| |
where it is forced to the UTC timezone. bz3468 ok dtucker
OpenBSD-Regress-ID: ea07ca31c2f3847a38df028ca632763ae44e8759
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
times and authorized_keys expiry-time options to accept dates in the UTC time
zone in addition to the default of interpreting them in the system time zone.
YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if
suffixed with a 'Z' character.
Also allow certificate validity intervals to be specified in raw
seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
is intended for use by regress tests and other tools that call
ssh-keygen as part of a CA workflow.
bz3468 ok dtucker
OpenBSD-Commit-ID: 454db1cdffa9fa346aea5211223a2ce0588dfe13
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Since arc4random seeds from getentropy, and we use OpenSSL for that
if enabled, there's the possibility that if we build on a system that
does not have getentropy then run on a system that does have it, then
OpenSSL could end up calling our getentropy and getting stuck in a loop.
Pointed out by deraadt@, ok djm@
|
| | |
|
| |
|
|
|
| |
Fixes builds on platforms that do have fido2 but don't have
fido_dev_is_winhello.
|
| |
|
|
|
|
|
|
|
| |
the credential, just let the enroll operating fail and we'll attempt to get a
PIN anyway. Might avoid some unneccessary PIN prompts.
Part of GHPR#302 from Corinna Vinschen; ok dtucker@
OpenBSD-Commit-ID: bd5342ffc353ee37d39617906867c305564d1ce2
|
| |
|
|
|
|
|
|
|
|
| |
WinHello via libfido2 performs user verification by default.
However, if we stick to that, there's no way to differentiate
between keys created with or without "-O verify-required".
Set FIDO2 uv attribute explicitely to FIDO_OPT_FALSE, then check
if user verification has been requested.
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
|
| |
|
|
|
|
|
|
| |
Up to libfido 1.10.0, WinHello advertises "clientPin" rather
than "uv" capability. This is fixed in 1.11.0. For the time
being, workaround it here.
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
|
| |
|
|
| |
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
|
| |
|
|
|
|
|
| |
Factor out the arc4random seeding into its own file and change the
interface to match getentropy. Use native getentropy if available.
This will make it easier to resync OpenBSD changes to arc4random.
Prompted by bz#3467, ok djm@.
|
| | |
|
| |
|
|
|
|
| |
and fix based on GHPR#332 by v-rzh ok dtucker@
OpenBSD-Commit-ID: 3d21aa127b1f37cfc5bdc21461db369a663a951f
|
| | |
|
| |
|
|
|
|
|
| |
We added a check in Makefile to catch the case where configure needs to
be rebuilt, however this did not happen until a build was attempted in
which case all of the work done by configure was wasted. Move this check
to the start of configure to catch it as early as possible. ok djm@
|
| |
|
|
|
| |
This will result in sftp, sftp-server and scp no longer being linked
against libcrypto. ok djm@
|
| |
|
|
|
| |
These binaries don't use OpenSSL's random functions. The next step
will be to stop linking them against libcrypto. ok djm@
|
| |
|
|
|
| |
They're related more than the libcrypt or libiaf checks which are
currently between them. ok djm@
|
| |
|
|
|
|
|
|
| |
Some of our binaries (eg sftp, sftp-server, scp) do not interact with
the channels code and thus do use libraries such as zlib and libcrypto
although they are linked with them. This adds a CHANNELLIBS and starts
by moving zlib into it, which means the aformentioned binaries are no
longer linked against zlib. ok djm@
|
| |
|
|
|
|
|
| |
We have some compatibility hacks that were added to support OpenSSL
versions that do not support AES CTR mode. Since that time, however,
the minimum OpenSSL version that we support has moved to 1.0.1 which
*does* have CTR, so this is no longer needed. ok djm@
|
| |
|
|
|
|
|
| |
We have some compatibility hacks that were added to support OpenSSL
versions that do not support AES GCM mode. Since that time, however,
the minimum OpenSSL version that we support has moved to 1.0.1 which
*does* have GCM, so this is no longer needed. ok djm@
|
| |
|
|
| |
OpenBSD-Regress-ID: 38783f9676ec348c5a792caecee9a16e354b37b0
|
| |
|
|
|
|
|
| |
executable. No-op on most platforms but should prevent warnings in -portable
on systems that don't have 'date %s'.
OpenBSD-Regress-ID: e39d79867b8065e33d0c5926fa1a31f85659d2a4
|
| |
|
|
|
|
|
| |
"which" and its behaviour is not standardized, so convert the existing
have_prog function into "which" so we can rely on it being available
and what its semantics are. Add a have_prog wrapper that maintains the
existing behaviour.
|
| |
|
|
|
| |
scp -3 ends up using the scp that's in the remote path and will fail if
one is not available. Based on a patch from rapier at psc.edu.
|
| | |
|
| |
|
|
|
|
| |
part of GHPR329 from Pedro Martelletto
OpenBSD-Commit-ID: 75d1005bd2ef8f29fa834c90d2684e73556fffe8
|
