dtucker [Thu, 18 Dec 2003 04:34:31 +0000 (04:34 +0000)]
- (dtucker) [auth-pam.c] Do PAM chauthtok during SSH2 keyboard-interactive
authentication. Partially fixes bug #423. Feedback & ok djm@
Some background on why this is the way it is:
* Solaris 8's pam_chauthtok ignores the CHANGE_EXPIRED_AUTHTOK flag, so
we must call do_pam_account() to figure out if the password is expired.
* AIX 5.2 does not like having pam_acct_mgmt() called twice, once from the
authentication thread and once from the main shell child, so we cache the
result, which must be passed from the authentication thread back to the
monitor.
djm [Wed, 17 Dec 2003 05:33:10 +0000 (05:33 +0000)]
- markus@cvs.openbsd.org 2003/12/16 15:49:51
[clientloop.c clientloop.h readconf.c readconf.h scp.1 sftp.1 ssh.1]
[ssh.c ssh_config.5]
application layer keep alive (ServerAliveInterval ServerAliveCountMax)
for ssh(1), similar to the sshd(8) option; ok beck@; with help from
jmc and dtucker@
djm [Wed, 17 Dec 2003 05:31:10 +0000 (05:31 +0000)]
- markus@cvs.openbsd.org 2003/12/09 21:53:37
[readconf.c readconf.h scp.1 servconf.c servconf.h sftp.1 ssh.1]
[ssh_config.5 sshconnect.c sshd.c sshd_config.5]
rename keepalive to tcpkeepalive; the old name causes too much
confusion; ok djm, dtucker; with help from jmc@
djm [Wed, 17 Dec 2003 05:27:32 +0000 (05:27 +0000)]
20031217
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2003/12/09 15:28:43
[serverloop.c]
make ClientKeepAlive work for ssh -N, too (no login shell requested).
1) send a bogus channel request if we find a channel
2) send a bogus global request if we don't have a channel
ok + test beck@
dtucker [Tue, 9 Dec 2003 13:54:38 +0000 (13:54 +0000)]
- dtucker@cvs.openbsd.org 2003/12/09 13:52:55
[moduli.c]
Prevent ssh-keygen -T from outputting moduli with a generator of 0, since
they can't be used for Diffie-Hellman. Assistance and ok djm@
dtucker [Tue, 9 Dec 2003 08:07:13 +0000 (08:07 +0000)]
- markus@cvs.openbsd.org 2003/12/02 12:15:10
[progressmeter.c]
improvments from andreas@:
* saner speed estimate for transfers that takes less than a second by
rounding the time to 1 second.
* when the transfer is finished calculate the actual total speed
rather than the current speed which is given during the transfer
djm [Mon, 24 Nov 2003 02:07:45 +0000 (02:07 +0000)]
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2003/11/23 23:17:34
[ssh-keyscan.c]
from portable - use sysconf to detect fd limit; ok markus@
(tidy diff by adding SSH_SSFDMAX macro to defines.h)
dtucker [Sat, 22 Nov 2003 03:25:15 +0000 (03:25 +0000)]
- (dtucker) [auth-sia.c configure.ac] Tru64 update from cmadams at hiwaay.net.
Use permanently_set_uid for SIA, only define DISABLE_FD_PASSING when SIA
is enabled, rely on SIA to check for locked accounts if enabled. ok djm@
dtucker [Sat, 22 Nov 2003 03:16:56 +0000 (03:16 +0000)]
- (dtucker) [auth-passwd.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
Move AIX specific password authentication code to port-aix.c, call
authenticate() until reenter flag is clear.
djm [Tue, 18 Nov 2003 11:01:48 +0000 (11:01 +0000)]
- djm@cvs.openbsd.org 2003/11/18 10:53:07
[monitor.c]
unbreak fake authloop for non-existent users (my screwup). Spotted and
tested by dtucker@; ok markus@
dtucker [Tue, 18 Nov 2003 01:42:07 +0000 (01:42 +0000)]
- (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv,
and use it for do_pam_session. Fixes problems like pam_motd not displaying
anything. ok djm@
djm [Mon, 17 Nov 2003 11:18:21 +0000 (11:18 +0000)]
- markus@cvs.openbsd.org 2003/11/17 11:06:07
[auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h monitor_wrap.c]
[monitor_wrap.h sshconnect2.c ssh-gss.h]
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson;
test + ok jakob.
djm [Mon, 17 Nov 2003 10:13:40 +0000 (10:13 +0000)]
- djm@cvs.openbsd.org 2003/11/04 08:54:09
[auth1.c auth2.c auth2-pubkey.c auth.h auth-krb5.c auth-passwd.c]
[auth-rhosts.c auth-rh-rsa.c auth-rsa.c monitor.c serverloop.c]
[session.c]
standardise arguments to auth methods - they should all take authctxt.
check authctxt->valid rather then pw != NULL; ok markus@
djm [Mon, 17 Nov 2003 10:09:50 +0000 (10:09 +0000)]
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2003/11/03 09:03:37
[auth-chall.c]
make this a little more idiot-proof; ok markus@
(includes portable-specific changes)
dtucker [Thu, 13 Nov 2003 00:28:49 +0000 (00:28 +0000)]
- (dtucker) [README ssh-host-config ssh-user-config Makefile] (All
contrib/cygwin). Major update from vinschen at redhat.com.
- Makefile provides a `cygwin-postinstall' target to run right after
`make install'.
- Better support for Windows 2003 Server.
- Try to get permissions as correct as possible.
- New command line options to allow full automated host configuration.
- Create configs from skeletons in /etc/defaults/etc.
- Use /bin/bash, allows reading user input with readline support.
- Remove really old configs from /usr/local.
dtucker [Mon, 3 Nov 2003 09:06:14 +0000 (09:06 +0000)]
- avsm@cvs.openbsd.org 2003/10/26 16:57:43
[sshconnect2.c]
rename 'supported' static var in userauth_gssapi() to 'gss_supported'
to avoid shadowing the global version. markus@ ok
dtucker [Mon, 3 Nov 2003 07:59:29 +0000 (07:59 +0000)]
- (dtucker) [contrib/cygwin/ssh-host-config] Ensure entries in /etc/services
are created correctly with CRLF line terminations. Patch from vinschen at
redhat.com.
dtucker [Wed, 15 Oct 2003 06:57:57 +0000 (06:57 +0000)]
- (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c
openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always
compiled in but disabled in config.
dtucker [Wed, 15 Oct 2003 05:58:18 +0000 (05:58 +0000)]
- jmc@cvs.openbsd.org 2003/10/12 13:12:13
[ssh_config.5]
note that EnableSSHKeySign should be in the non-hostspecific section;
remove unnecessary .Pp;
ok markus@
dtucker [Wed, 15 Oct 2003 05:54:32 +0000 (05:54 +0000)]
- markus@cvs.openbsd.org 2003/10/11 08:24:08
[readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
remote x11 clients are now untrusted by default, uses xauth(8) to generate
untrusted cookies; ForwardX11Trusted=yes restores old behaviour.
ok deraadt; feedback and ok djm/fries
dtucker [Wed, 15 Oct 2003 05:50:42 +0000 (05:50 +0000)]
- jmc@cvs.openbsd.org 2003/10/08 08:27:36
[scp.1 scp.c sftp-server.8 sftp.1 sftp.c ssh.1 sshd.8]
scp and sftp: add options list and sort options. options list requested
by deraadt@
sshd: use same format as ssh
ssh: remove wrong option from list
sftp-server: Subsystem is documented in ssh_config(5), not sshd(8)
ok deraadt@ markus@