| #
eead3eb2 |
| 18-Dec-2023 |
djm <djm@openbsd.org> |
Make it possible to load certs from PKCS#11 tokens
Adds a protocol extension to allow grafting certificates supplied by
ssh-add to keys loaded from PKCS#11 tokens in the agent.
feedback/ok markus@
|
| #
82d651da |
| 19-Dec-2021 |
djm <djm@openbsd.org> |
ssh-add side of destination constraints
Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports sessio
ssh-add side of destination constraints
Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.
Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".
The first form permits a key to be used to authenticate as the
specified user to the specified host.
The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.
For example, constraining a key with "user1@host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.
Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00@openssh.com key
constraint.
host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.
feedback Jann Horn & markus@
ok markus@
show more ...
|
| #
798a6ad5 |
| 19-Dec-2021 |
djm <djm@openbsd.org> |
ssh client side of binding
send session ID, hostkey, signature and a flag indicating whether the
agent connection is being forwarded to ssh agent each time a connection
is opened via a new "session-
ssh client side of binding
send session ID, hostkey, signature and a flag indicating whether the
agent connection is being forwarded to ssh agent each time a connection
is opened via a new "session-bind@openssh.com" agent extension.
ok markus@
show more ...
|
| #
9f201044 |
| 26-Jun-2020 |
djm <djm@openbsd.org> |
constify a few things; ok dtucker (as part of another diff)
|
| #
388f6d08 |
| 21-Dec-2019 |
djm <djm@openbsd.org> |
Allow forwarding a different agent socket to the path specified by
$SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment variable
i
Allow forwarding a different agent socket to the path specified by
$SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment variable
in addition to yes/no.
Patch by Eric Chiang, manpage by me; ok markus@
show more ...
|
| #
24952783 |
| 31-Oct-2019 |
djm <djm@openbsd.org> |
add new agent key constraint for U2F/FIDO provider
feedback & ok markus@
|
| #
a3d3c87f |
| 03-Sep-2019 |
djm <djm@openbsd.org> |
authfd: add function to check if key is in agent
This commit adds a helper function which allows the caller to
check if a given public key is present in ssh-agent.
work by Sebastian Kinne; ok marku
authfd: add function to check if key is in agent
This commit adds a helper function which allows the caller to
check if a given public key is present in ssh-agent.
work by Sebastian Kinne; ok markus@
show more ...
|
| #
707316f9 |
| 21-Jun-2019 |
djm <djm@openbsd.org> |
Add protection for private keys at rest in RAM against speculation
and memory sidechannel attacks like Spectre, Meltdown, Rowhammer and
Rambleed. This change encrypts private keys when they are not i
Add protection for private keys at rest in RAM against speculation
and memory sidechannel attacks like Spectre, Meltdown, Rowhammer and
Rambleed. This change encrypts private keys when they are not in use
with a symmetic key that is derived from a relatively large "prekey"
consisting of random data (currently 16KB).
Attackers must recover the entire prekey with high accuracy before
they can attempt to decrypt the shielded private key, but the current
generation of attacks have bit error rates that, when applied
cumulatively to the entire prekey, make this unlikely.
Implementation-wise, keys are encrypted "shielded" when loaded and then
automatically and transparently unshielded when used for signatures or
when being saved/serialised.
Hopefully we can remove this in a few years time when computer
architecture has become less unsafe.
been in snaps for a bit already; thanks deraadt@
ok dtucker@ deraadt@
show more ...
|
| #
7920fe40 |
| 12-Jul-2018 |
djm <djm@openbsd.org> |
remove prototype to long-gone function
|
| #
a6be8e7c |
| 23-Feb-2018 |
markus <markus@openbsd.org> |
Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures)
The code is not compiled in by default (see WITH_XMSS in Makefile.inc)
Joint work with stefan-lukas_gazdag at genua.eu
See
Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures)
The code is not compiled in by default (see WITH_XMSS in Makefile.inc)
Joint work with stefan-lukas_gazdag at genua.eu
See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
ok djm@
show more ...
|
| #
1c657780 |
| 10-Feb-2018 |
djm <djm@openbsd.org> |
constify some private key-related functions; based on
https://github.com/openssh/openssh-portable/pull/56 by Vincent Brillault
|
| #
8705e2e1 |
| 28-Jun-2017 |
djm <djm@openbsd.org> |
Allow ssh-keygen to use a key held in ssh-agent as a CA when signing
certificates. bz#2377 ok markus
|
| #
d4984305 |
| 05-May-2017 |
naddy <naddy@openbsd.org> |
more simplification and removal of SSHv1-related code; ok djm@
|
| #
321f30e3 |
| 04-Dec-2015 |
markus <markus@openbsd.org> |
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)
based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt;
with & ok djm@
|
| #
b7e9f6c7 |
| 14-Jan-2015 |
djm <djm@openbsd.org> |
move authfd.c and its tentacles to the new buffer/key API;
ok markus@
|
| #
5d5698f1 |
| 27-Aug-2009 |
djm <djm@openbsd.org> |
Do not fall back to adding keys without contraints (ssh-add -c / -t ...)
when the agent refuses the constrained add request. This was a useful
migration measure back in 2002 when constraints were new
Do not fall back to adding keys without contraints (ssh-add -c / -t ...)
when the agent refuses the constrained add request. This was a useful
migration measure back in 2002 when constraints were new, but just
adds risk now.
bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@
show more ...
|
| #
bd9502d5 |
| 03-Aug-2006 |
deraadt <deraadt@openbsd.org> |
almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step
|
| #
84cabb10 |
| 25-Mar-2006 |
djm <djm@openbsd.org> |
standardise spacing in $OpenBSD$ tags; requested by deraadt@
|
| #
30e570c7 |
| 21-Nov-2003 |
djm <djm@openbsd.org> |
unexpand and delete whitespace at EOL; ok markus@
|
| #
006fce9f |
| 11-Jun-2003 |
djm <djm@openbsd.org> |
make agent constraints (lifetime, confirm) work with smartcard keys; ok markus@
|
| #
12af6642 |
| 23-Jan-2003 |
markus <markus@openbsd.org> |
ssh-add -c, prompt user for confirmation (using ssh-askpass) when
private agent key is used; with djm@; test by dugsong@, djm@; ok deraadt@
|
| #
98d71954 |
| 11-Sep-2002 |
stevesk <stevesk@openbsd.org> |
don't connect to agent to test for presence if we've previously
connected; ok markus@
|
| #
4d92f097 |
| 19-Jun-2002 |
deraadt <deraadt@openbsd.org> |
KNF done automatically while reading....
|
| #
e01d29b9 |
| 15-Jun-2002 |
markus <markus@openbsd.org> |
remove the CONSTRAIN_IDENTITY messages and introduce a new
ADD_ID message with contraints instead. contraints can be
only added together with the private key.
|
| #
f5a3f9f6 |
| 15-Jun-2002 |
markus <markus@openbsd.org> |
fix stupid typo
|