| #
856b6ee8 |
| 14-Oct-2024 |
djm <djm@openbsd.org> |
Split per-connection sshd-session binary
This splits the user authentication code from the sshd-session
binary into a separate sshd-auth binary. This will be executed by
sshd-session to complete the
Split per-connection sshd-session binary
This splits the user authentication code from the sshd-session
binary into a separate sshd-auth binary. This will be executed by
sshd-session to complete the user authentication phase of the
protocol only.
Splitting this code into a separate binary ensures that the crucial
pre-authentication attack surface has an entirely disjoint address
space from the code used for the rest of the connection. It also
yields a small runtime memory saving as the authentication code will
be unloaded after thhe authentication phase completes.
Joint work with markus@ feedback deraadt@
Tested in snaps since last week
show more ...
|
| #
71f11376 |
| 17-May-2024 |
djm <djm@openbsd.org> |
Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.
After this changes, the listener binary will validate
Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.
After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.
This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.
feedback/ok markus@ deraadt@
NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.
show more ...
|
| #
19e6a92c |
| 31-Oct-2019 |
djm <djm@openbsd.org> |
ssh-agent support for U2F/FIDO keys
feedback & ok markus@
|
| #
e34d2894 |
| 10-Dec-2017 |
deraadt <deraadt@openbsd.org> |
ssh/lib hasn't worked towards our code-sharing goals for a quit while,
perhaps it is too verbose? Change each */Makefile to specifying exactly
what sources that program requires, compiling it sepera
ssh/lib hasn't worked towards our code-sharing goals for a quit while,
perhaps it is too verbose? Change each */Makefile to specifying exactly
what sources that program requires, compiling it seperate. Maybe we'll
iterate by sorting those into seperatable chunks, splitting up files
which contain common code + server/client specific code, or whatnot. But
this isn't one step, or we'd have done it a long time ago..
ok dtucker markus djm
show more ...
|
| #
55b8f34c |
| 09-Feb-2010 |
markus <markus@openbsd.org> |
enable PKCS#11 code; ok djm
|
| #
e9a94b11 |
| 08-Feb-2010 |
markus <markus@openbsd.org> |
remove obsole scard code
|
| #
41503faf |
| 08-Feb-2010 |
markus <markus@openbsd.org> |
replace our obsolete smartcard code with PKCS#11.
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
provider (sha
replace our obsolete smartcard code with PKCS#11.
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
provider (shared library) while ssh-agent(1) delegates PKCS#11 to
a forked a ssh-pkcs11-helper process.
PKCS#11 is currently a compile time option.
feedback and ok djm@; inspired by patches from Alon Bar-Lev
show more ...
|
| #
fd5e0d82 |
| 01-Dec-2003 |
grange <grange@openbsd.org> |
Use ${INSTALL} instead of install; from art's amd64 tree.
ok markus@
|
| #
44c8244e |
| 23-May-2002 |
markus <markus@openbsd.org> |
add /usr/libexec/ssh-keysign: a setuid helper program for hostbased authentication
in protocol v2 (needs to access the hostkeys).
|
| #
0662dc2c |
| 09-Feb-2002 |
deraadt <deraadt@openbsd.org> |
move ssh config files to /etc/ssh
|
| #
a5860762 |
| 28-Jun-2001 |
markus <markus@openbsd.org> |
ssh java cardlet for smartcard support (source and uuencoded binary)
|
| #
740860f2 |
| 04-Feb-2001 |
djm <djm@openbsd.org> |
Basic interactive sftp client; ok theo@
|
| #
3846f8ff |
| 04-Dec-2000 |
markus <markus@openbsd.org> |
David Maziere's ssh-keyscan, ok niels@
|
| #
b66fbe9e |
| 31-Aug-2000 |
markus <markus@openbsd.org> |
implement a SFTP server. interops with sftp2, scp2 and the windows
client from ssh.com
|
| #
492e465e |
| 25-Oct-1999 |
markus <markus@openbsd.org> |
move common files to ./lib and link libssh.a, tested with and w/o obj
|
| #
b130d206 |
| 27-Sep-1999 |
deraadt <deraadt@openbsd.org> |
fix distribution target
|
| #
d29b4e99 |
| 26-Sep-1999 |
deraadt <deraadt@openbsd.org> |
distribution target
|
| #
ceff9734 |
| 26-Sep-1999 |
deraadt <deraadt@openbsd.org> |
build ssh components using our build model
|
| #
84959968 |
| 26-Sep-1999 |
deraadt <deraadt@openbsd.org> |
i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, a
i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.
show more ...
|