path: root/auth1.c
AgeCommit message (Collapse)Author
2001-03-05 - 2001/02/22 21:59:44Ben Lindstrom
[auth.c auth.h auth1.c auth2.c misc.c misc.h ssh.c] use pwcopy in ssh.c, too
2001-02-18 - (djm) Merge BSD_AUTH support from Markus Friedl and David J. MacKenzieDamien Miller
enable with --with-bsd-auth.
2001-02-15 - 2001/02/13 22:49:40Ben Lindstrom
[auth1.c auth2.c] setproctitle(user) only if getpwnam succeeds
2001-02-15 - 2001/02/12 16:16:23Ben Lindstrom
[auth-passwd.c auth.c auth.h auth1.c auth2.c servconf.c servconf.h ssh-keygen.c sshd.8] PermitRootLogin={yes,without-password,forced-commands-only,no} (before this change, root could login even if PermitRootLogin==no)
2001-02-14 - (djm) Split out and improve OSF SIA auth code. Patch from Chris AdamsDamien Miller
<> with a little modification and KNF.
2001-02-13 - (stevesk) auth1.c: fix PAM passwordless check.Kevin Steves
2001-02-12 - (djm) Fix OSF SIA auth NULL pointer deref. Report from Mike BattersbyDamien Miller
2001-02-10 - 2001/02/07 22:35:46Ben Lindstrom
[auth1.c auth2.c sshd.c] move k_setpag() to a central place; ok dugsong@
2001-02-05 - 2001/02/04 08:32:27Kevin Steves
[many files; did this manually to our top-level source dir] unexpand and remove end-of-line whitespace; ok markus@
2001-02-04 - (bal) AIX patch for auth1.c by William L. Jones <>Ben Lindstrom
2001-02-04NB: big update - may break stuff. Please test!Damien Miller
- (djm) OpenBSD CVS sync: - 2001/02/03 03:08:38 [auth-options.c auth-rh-rsa.c auth-rhosts.c auth.c canohost.c] [canohost.h servconf.c servconf.h session.c sshconnect1.c sshd.8] [sshd_config] make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@ - 2001/02/03 03:19:51 [ssh.1 sshd.8 sshd_config] Skey is now called ChallengeResponse - 2001/02/03 03:43:09 [sshd.8] use no-pty option in .ssh/authorized_keys* if you need a 8-bit clean channel. note from (pr/1659) - 2001/02/03 10:03:06 [ssh.1] typos; ok markus@ - 2001/02/04 04:11:56 [scp.1 sftp-server.c ssh.1 sshd.8 sftp-client.c sftp-client.h] [sftp-common.c sftp-common.h sftp-int.c sftp-int.h sftp.1 sftp.c] Basic interactive sftp client; ok theo@ - (djm) Update RPM specs for new sftp binary - (djm) Update several bits for new optional reverse lookup stuff. I think I got them all.
2001-01-24whitespace sync, cleanupKevin Steves
2001-01-23 - 2001/01/22 23:06:39Ben Lindstrom
[auth1.c auth2.c readconf.c readconf.h servconf.c servconf.h sshconnect1.c sshconnect2.c sshd.c] rename skey -> challenge response. auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.
2001-01-22Hopefully things did not get mixed around too much. It compiles underBen Lindstrom
Linux and works. So that is at least a good sign. =) 20010122 - (bal) OpenBSD Resync - 2001/01/19 12:45:26 GMT 2001 by markus [servconf.c ssh.h sshd.c] only auth-chall.c needs #ifdef SKEY - 2001/01/19 15:55:10 GMT 2001 by markus [auth-krb4.c auth-options.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth1.c auth2.c channels.c clientloop.c dh.c dispatch.c nchan.c packet.c pathname.h readconf.c scp.c servconf.c serverloop.c session.c ssh-add.c ssh-keygen.c ssh-keyscan.c ssh.c ssh.h ssh1.h sshconnect1.c sshd.c ttymodes.c] move ssh1 definitions to ssh1.h, pathnames to pathnames.h - 2001/01/19 16:48:14 [sshd.8] fix typo; from stevesk@ - 2001/01/19 16:50:58 [ssh-dss.c] clear and free digest, make consistent with other code (use dlen); from stevesk@ - 2001/01/20 15:55:20 GMT 2001 by markus [auth-options.c auth-options.h auth-rsa.c auth2.c] pass the filename to auth_parse_options() - 2001/01/20 17:59:40 GMT 2001 [readconf.c] fix SIGSEGV from -o ""; problem noted by - 2001/01/20 18:20:29 [sshconnect2.c] dh_new_group() does not return NULL. ok markus@ - 2001/01/20 21:33:42 [ssh-add.c] do not loop forever if askpass does not exist; from - 2001/01/20 23:00:56 [servconf.c] Check for NULL return from strdelim; ok markus - 2001/01/20 23:02:07 [readconf.c] KNF; ok markus - 2001/01/21 9:00:33 [ssh-keygen.1] remove -R flag; ok markus@ - 2001/01/21 19:05:40 [atomicio.c automicio.h auth-chall.c auth-krb4.c auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth.c auth.h auth1.c auth2-chall.c auth2.c authfd.c authfile.c bufaux.c bufaux.h buffer.c canahost.c canahost.h channels.c cipher.c cli.c clientloop.c clientloop.h compat.c compress.c deattack.c dh.c dispatch.c groupaccess.c hmac.c hostfile.c kex.c key.c key.h log-client.c log-server.c log.c log.h login.c login.h match.c misc.c misc.h nchan.c packet.c pty.c radix.h readconf.c readpass.c readpass.h rsa.c scp.c servconf.c serverloop.c serverloop.h session.c sftp-server.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-rsa.c ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c sshd.c tildexpand.c tildexpand.h ttysmodes.c uidswap.c xmalloc.c] split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch] - (bal) renamed 'PIDDIR' to '_PATH_SSH_PIDDIR' to match OpenBSD tree - (bal) Moved #ifdef KRB4 in auth-krb4.c above the #include to resolve conflict when compiling for non-kerb install - (bal) removed the #ifdef SKEY in auth1.c to match Markus' changes on 1/19.
2001-01-19Removed one more 'ISSUE' comment in auth1.cBen Lindstrom
20010120 - (bal) OpenBSD Resync - 2001/01/19 12:45:26 [ssh-chall.c servconf.c servconf.h ssh.h sshd.c] only auth-chall.c needs #ifdef SKEY
2001-01-19 - (bal) Minor cygwin patch to auth1.c. Suggested by djm.Ben Lindstrom
2001-01-19 - (bal) Updated contrib/cygwin/ by Corinna Vinschen <>Ben Lindstrom
Also removed some of the 'ISSUES' comments that have been verified by djm.
2001-01-19 - (djm) Merge patch from Tim Waugh (via Nalin Dahyabhai <>)Damien Miller
to fix NULL pointer deref and fake authloop breakage in PAM code.
2001-01-19Please grep through the source and look for 'ISSUE' comments and verifyBen Lindstrom
that I was able to get all the portable bits in the right location. As for the SKEY comment there is an email out to Markus as to how it should be resolved. Until then I just #ifdef SKEY/#endif out the whole block. - (bal) OpenBSD Resync - 2001/01/18 16:20:21 [log-client.c log-server.c log.c readconf.c servconf.c ssh.1 ssh.h sshd.8 sshd.c] log() is at pri=LOG_INFO, since LOG_NOTICE goes to /dev/console on many systems - 2001/01/18 16:59:59 [auth-passwd.c auth.c auth.h auth1.c auth2.c serverloop.c session.c session.h sshconnect1.c] 1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier. - 2001/01/18 17:12:43 [auth-chall.c auth2-chall.c] rename *-skey.c *-chall.c since the files are not skey specific
2001-01-08 - (stevesk) auth1.c: free should be after WITH_AIXAUTHENTICATEKevin Steves
2001-01-0820010108Ben Lindstrom
- (bal) Fixed another typo in cli.c - (bal) OpenBSD Sync - 2001/01/07 21:26:55 [cli.c] typo - 2001/01/07 21:26:55 [cli.c] missing free, - 2001/01/07 19:06:25 [auth1.c] missing free, - 2001/01/07 11:28:04 [log-client.c log-server.c log.c readconf.c servconf.c ssh.1 ssh.h sshd.8 sshd.c] rename SYSLOG_LEVEL_INFO->SYSLOG_LEVEL_NOTICE syslog priority changes: fatal() LOG_ERR -> LOG_CRIT log() LOG_INFO -> LOG_NOTICE
2000-12-28 - (bal) OpenBSD CVS UpdateBen Lindstrom
- 2000/12/28 14:25:51 [auth.h auth2.c] count authentication failures only - 2000/12/28 14:25:03 [sshconnect.c] fingerprint for MITM attacks, too. - 2000/12/28 12:03:57 [sshd.8 sshd.c] document -D - 2000/12/27 14:19:21 [serverloop.c] less chatty - 2000/12/27 12:34 [auth1.c sshconnect2.c sshd.c] typo - 2000/12/27 12:30:19 [readconf.c readconf.h ssh.1 sshconnect.c] new option: HostKeyAlias: allow the user to record the host key under a different name. This is useful for ssh tunneling over forwarded connections or if you run multiple sshd's on different ports on the same machine. - 2000/12/27 11:51:53 [ssh.1 ssh.c] multiple -t force pty allocation, document ORIGINAL_COMMAND - 2000/12/27 11:41:31 [sshd.8] update for ssh-2
2000-12-22One way to massive patch. <sigh> It compiles and works under Linux..Ben Lindstrom
And I think I have all the bits right from the OpenBSD tree. 20001222 - Updated RCSID for pty.c - (bal) OpenBSD CVS Updates: - 2000/12/21 15:10:16 [auth-rh-rsa.c hostfile.c hostfile.h sshconnect.c] print keyfile:line for changed hostkeys, for deraadt@, ok deraadt@ - 2000/12/20 19:26:56 [authfile.c] allow ssh -i userkey for root - 2000/12/20 19:37:21 [authfd.c authfd.h kex.c sshconnect2.c sshd.c uidswap.c uidswap.h] fix prototypes; from - 2000/12/20 19:32:08 [sshd.c] init pointer to NULL; report from - 2000/12/19 23:17:54 [auth-krb4.c auth-options.c auth-options.h auth-rhosts.c auth-rsa.c auth1.c auth2-skey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufaux.h buffer.c canohost.c channels.c clientloop.c compress.c crc32.c deattack.c getput.h hmac.c hmac.h hostfile.c kex.c kex.h key.c key.h log.c login.c match.c match.h mpaux.c mpaux.h packet.c packet.h radix.c readconf.c rsa.c scp.c servconf.c servconf.h serverloop.c session.c sftp-server.c ssh-agent.c ssh-dss.c ssh-dss.h ssh-keygen.c ssh-keyscan.c ssh-rsa.c ssh-rsa.h ssh.c ssh.h uuencode.c uuencode.h sshconnect1.c sshconnect2.c sshd.c tildexpand.c] replace 'unsigned bla' with 'u_bla' everywhere. also replace 'char unsigned' with u_char.
2000-11-13 - (djm) Merge OpenBSD changes:Damien Miller
- 2000/11/06 16:04:56 [channels.c channels.h clientloop.c nchan.c serverloop.c] [session.c ssh.c] agent forwarding and -R for ssh2, based on work from - 2000/11/06 16:13:27 [ssh.c sshconnect.c sshd.c] do not disabled rhosts(rsa) if server port > 1024; from - 2000/11/06 16:16:35 [sshconnect.c] downgrade client to 1.3 if server is 1.4; help from - 2000/11/09 18:04:40 [auth1.c] typo; from - 2000/11/12 12:03:28 [ssh-agent.c] off-by-one when removing a key from the agent - 2000/11/12 12:50:39 [auth-rh-rsa.c auth2.c authfd.c authfd.h] [authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h] [readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c] [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config] [sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c] [ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h] add support for RSA to SSH2. please test. there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2. you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys. SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before. - (djm) Fix up Makefile and Redhat init script to create RSA host keys - (djm) Change to interim version
2000-11-1020001110Ben Lindstrom
- (bal) Fixed dropped answer from skey_keyinfo() in auth1.c - (bal) Changed from --with-skey to --with-skey=PATH in - (bal) Added in check to verify S/Key library is being detected in - (bal) next-posix.h - added another prototype wrapped in POSIX ifdef/endif. Patch by Mark Miller <> - (bal) Added 'util.h' header to loginrec.c only if HAVE_UTIL_H is defined to remove warnings under MacOS X. Patch by Mark Miller <> - (bal) Fixed LDFLAG mispelling in for --with-afs
2000-10-14 - (djm) Big OpenBSD sync:Damien Miller
- 2000/09/30 10:27:44 [log.c] allow loglevel debug - 2000/10/03 11:59:57 [packet.c] hmac->mac - 2000/10/03 12:03:03 [auth-krb4.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth1.c] move fake-auth from auth1.c to individual auth methods, disables s/key in debug-msg - 2000/10/03 12:16:48 ssh.c do not resolve canonname, i have no idea why this was added oin ossh - 2000/10/09 15:30:44 ssh-keygen.1 ssh-keygen.c -X now reads private DSA keys, too. - 2000/10/09 15:32:34 auth-options.c clear options on every call. - 2000/10/09 15:51:00 authfd.c authfd.h interop with ssh-agent2, from <> - 2000/10/10 14:20:45 compat.c use rexexp for version string matching - 2000/10/10 22:02:18 [kex.c kex.h myproposal.h ssh.h ssh2.h sshconnect2.c sshd.c dh.c dh.h] First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company. - 2000/10/11 13:59:52 [auth-rsa.c auth2.c] clear auth options unless auth sucessfull - 2000/10/11 14:00:27 [auth-options.h] clear auth options unless auth sucessfull - 2000/10/11 14:03:27 [scp.1 scp.c] support 'scp -o' with help from - 2000/10/11 14:11:35 [dh.c] Wall - 2000/10/11 14:14:40 [auth.h auth2.c readconf.c readconf.h readpass.c servconf.c servconf.h] [ssh.h sshconnect2.c sshd_config auth2-skey.c cli.c cli.h] add support for s/key (kbd-interactive) to ssh2, based on work by and me - 2000/10/11 14:27:24 [auth.c auth1.c auth2.c authfile.c cipher.c cipher.h kex.c kex.h] [myproposal.h packet.c readconf.c session.c ssh.c ssh.h sshconnect1.c] [sshconnect2.c sshd.c] new cipher framework - 2000/10/11 14:45:21 [cipher.c] remove DES - 2000/10/12 03:59:20 [cipher.c cipher.h sshconnect1.c sshconnect2.c sshd.c] enable DES in SSH-1 clients only - 2000/10/12 08:21:13 [kex.h packet.c] remove unused - 2000/10/13 12:34:46 [sshd.c] Kludge for F-Secure Macintosh < 1.0.2; - 2000/10/13 12:59:15 [cipher.c cipher.h myproposal.h rijndael.c rijndael.h] rijndael/aes support - 2000/10/13 13:10:54 [sshd.8] more info about -V - 2000/10/13 13:12:02 [myproposal.h] prefer no compression
2000-09-16 - (djm) Update CygWin support from Corinna Vinschen <>Damien Miller
2000-09-16 - (djm) Merge OpenBSD changes:Damien Miller
- 2000/09/05 02:59:57 [session.c] print hostname (not hushlogin) - 2000/09/05 13:18:48 [authfile.c ssh-add.c] enable ssh-add -d for DSA keys - 2000/09/05 13:20:49 [sftp-server.c] cleanup - 2000/09/06 03:46:41 [authfile.h] prototype - 2000/09/07 14:27:56 [ALL] cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate. - 2000/09/07 14:40:30 [channels.c channels.h clientloop.c serverloop.c ssh.c] cleanup window and packet sizes for ssh2 flow control; ok niels - 2000/09/07 14:53:00 [scp.c] typo - 2000/09/07 15:13:37 [auth-options.c auth-options.h auth-rh-rsa.c auth-rsa.c auth.c] [authfile.h canohost.c channels.h compat.c hostfile.h log.c match.h] [pty.c readconf.c] some more Copyright fixes - 2000/09/08 03:02:51 [README.openssh2] bye bye - 2000/09/11 18:38:33 [LICENCE cipher.c] a few more comments about it being ARC4 not RC4 - 2000/09/12 14:53:11 [log-client.c log-server.c log.c ssh.1 ssh.c ssh.h sshd.8 sshd.c] multiple debug levels - 2000/09/14 14:25:15 [clientloop.c] typo - 2000/09/15 01:13:51 [ssh-agent.c] check return value for setenv(3) for failure, and deal appropriately
2000-09-05 - (djm) Merge cygwin support from Corinna Vinschen <>Damien Miller
2000-08-23 - (djm) Pick up LOGIN_PROGRAM from environment or PATH if not set by headersDamien Miller
- (djm) OpenBSD CVS updates: - 2000/08/18 20:07:23 [ssh.c] accept remsh as a valid name as well; - 2000/08/18 20:17:13 [deattack.c crc32.c packet.c] rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; - 2000/08/18 20:26:08 [scp.1 scp.c] -S prog support; - 2000/08/18 20:50:07 [scp.c] knf - 2000/08/18 20:57:33 [log-client.c] shorten - 2000/08/19 12:48:11 [channels.c channels.h clientloop.c ssh.c ssh.h] support for ~. in ssh2 - 2000/08/19 15:29:40 [crc32.h] proper prototype - 2000/08/19 15:34:44 [authfd.c authfd.h key.c key.h ssh-add.1 ssh-add.c ssh-agent.1] [ssh-agent.c ssh-keygen.c sshconnect1.c sshconnect2.c Makefile] [fingerprint.c fingerprint.h] add SSH2/DSA support to the agent and some other DSA related cleanups. (note that we cannot talk to's ssh2 agents) - 2000/08/19 15:55:52 [channels.c channels.h clientloop.c] more ~ support for ssh2 - 2000/08/19 16:21:19 [clientloop.c] oops - 2000/08/20 12:25:53 [session.c] We have to stash the result of get_remote_name_or_ip() before we close our socket or getpeername() will get EBADF and the process will exit. Only a problem for "UseLogin yes". - 2000/08/20 12:30:59 [session.c] Only check /etc/nologin if "UseLogin no" since login(1) may have its own policy on determining who is allowed to login when /etc/nologin is present. Also use the _PATH_NOLOGIN define. - 2000/08/20 12:42:43 [auth1.c auth2.c session.c ssh.c] Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class. - 2000/08/21 10:23:31 [session.c] Fix incorrect PATH setting; noted by Markus.
2000-07-08*** empty log message ***Damien Miller
2000-07-01 - (djm) Fix Tru64 SIA problems reported by John P Speno <>Damien Miller
2000-06-28 - (djm) Added patch from Chris Adams <> to add OSF SIADamien Miller
support. Enable using "USE_SIA=1 ./configure [options]"
2000-05-17 - Applied Tom Bertelson's <> AIX authentication fixDamien Miller
2000-04-30 - More OpenBSD updates:Damien Miller
[session.c] - don't call chan_write_failed() if we are not writing [auth-rsa.c auth1.c authfd.c hostfile.c ssh-agent.c] - keysize warnings error() -> log()
2000-04-29 - Merge big update to OpenSSH-2.0 from OpenBSD CVSDamien Miller
[README.openssh2] - interop w/ F-secure windows client - sync documentation - ssh_host_dsa_key not ssh_dsa_key [auth-rsa.c] - missing fclose [auth.c authfile.c compat.c dsa.c dsa.h hostfile.c key.c key.h radix.c] [readconf.c readconf.h ssh-add.c ssh-keygen.c ssh.c ssh.h sshconnect.c] [sshd.c uuencode.c uuencode.h authfile.h] - add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] for trading keys with the real and the original SSH, directly from the people who invented the SSH protocol. [auth.c auth.h authfile.c sshconnect.c auth1.c auth2.c sshconnect.h] [sshconnect1.c sshconnect2.c] - split auth/sshconnect in one file per protocol version [sshconnect2.c] - remove debug [uuencode.c] - add trailing = [version.h] - OpenSSH-2.0 [ssh-keygen.1 ssh-keygen.c] - add -R flag: exit code indicates if RSA is alive [sshd.c] - remove unused silent if -Q is specified [ssh.h] - host key becomes /etc/ssh_host_dsa_key [readconf.c servconf.c ] - ssh/sshd default to proto 1 and 2 [uuencode.c] - remove debug [auth2.c ssh-keygen.c sshconnect2.c sshd.c] - xfree DSA blobs [auth2.c serverloop.c session.c] - cleanup logging for sshd/2, respect PasswordAuth no [sshconnect2.c] - less debug, respect .ssh/config [README.openssh2 channels.c channels.h] - clientloop.c session.c ssh.c - support for x11-fwding, client+server