changeset | 1489449eceb1 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Check authorized_keys permissions as the user This is necessary on NFS with squash root. Based on work from Chris Dragan This commit also tidies some trailing whitespace. Fixes github pull #107 |
files |
changeset | f8ed10efaaac |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Print the key type in "Pubkey auth succeeded" |
files |
changeset | a7b66ea18632 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Don't set pubkey_info directly in checkpubkey_line This makes it safe to use from fuzzer-pubkey without leaking the value since the cleanup isn't called |
files |
changeset | 5d8dbb6fdab7 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Fix SSH_PUBKEYINFO, limit characters, add tests We fix a bad_bufptr() failure from a previous commit. We now limit the allowed characters to those that will definitely be safe in a shell. Some scripts/programs may use arbitrary environment variables without escaping correctly - that could be a problem in a restricted environment. The current allowed set is a-z A-Z 0-9 .,_-+@ This also adds a test for SSH_PUBKEYINFO, by default it only runs under github actions (or "act -j build"). |
files |
changeset | f54451afc046 |
---|---|
branch | |
bookmark | |
tag | |
user | HansH111 <hans@atbas.org> |
description | use buf_getptr and m_free on every iteration before m_malloc to insure no memory leaks are happening |
files |
changeset | d39cfedaf015 |
---|---|
branch | |
bookmark | |
tag | |
user | HansH111 <hans@atbas.org> |
description | extract pubkey_info when seuccesfully auth with a key and free it in the cleanup function |
files |
changeset | 064f5be2fc45 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Add buf_decrpos() |
files |
changeset | ae41624c2198 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | split signkey_type and signature_type for RSA sha1 vs sha256 |
files |
changeset | ba6fc7afe1c5 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | use sigtype where appropriate |
files |
changeset | cc0fc5131c5c |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Rename EPKA -> Plugin |
files |
changeset | 76189c9ffea2 |
---|---|
branch | |
bookmark | |
tag | |
user | fabriziobertocci <fabriziobertocci@gmail.com> |
description | External Public-Key Authentication API (#72) * Implemented dynamic loading of an external plug-in shared library to delegate public key authentication * Moved conditional compilation of the plugin infrastructure into the configure.ac script to be able to add -ldl to dropbear build only when the flag is enabled * Added tags file to the ignore list * Updated API to have the constructor to return function pointers in the pliugin instance. Added support for passing user name to the checkpubkey function. Added options to the session returned by the plugin and have dropbear to parse and process them * Added -rdynamic to the linker flags when EPKA is enabled * Changed the API to pass a previously created session to the checkPubKey function (created during preauth) * Added documentation to the API * Added parameter addrstring to plugin creation function * Modified the API to retrieve the auth options. Instead of having them as field of the EPKASession struct, they are stored internally (plugin-dependent) in the plugin/session and retrieved through a pointer to a function (in the session) * Changed option string to be a simple char * instead of unsigned char * |
files |
changeset | 592a18dac250 |
---|---|
branch | |
bookmark | |
tag | |
user | Patrick Stewart <patstew@gmail.com> |
description | Support servers without multiple user support (#76) |
files |
changeset | 9579377b5f8b |
---|---|
branch | |
bookmark | |
tag | |
user | François Perrad <francois.perrad@gadz.org> |
description | use strlcpy & strlcat (#74) * refactor checkpubkeyperms() with safe BSD functions fix gcc8 warnings ``` svr-authpubkey.c: In function 'checkpubkeyperms': svr-authpubkey.c:427:2: warning: 'strncat' specified bound 5 equals source length [-Wstringop-overflow=] strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ svr-authpubkey.c:433:2: warning: 'strncat' specified bound 16 equals source length [-Wstringop-overflow=] strncat(filename, "/authorized_keys", 16); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ``` see https://www.sudo.ws/todd/papers/strlcpy.html * restore strlcpy in xstrdup see original https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/xmalloc.c?rev=1.16 |
files |
changeset | 1fbe598a14fb |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Merge bugfix delay invalid users |
files |
changeset | 5d2d1021ca00 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Wait to fail invalid usernames |
files |
changeset | dc7c9fdb3716 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | don't allow null characters in authorized_keys |
files |
changeset | 252b406d0e9a |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | avoid leak of pubkey_options |
files |
changeset | 2f64cb3d3007 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | - #if not #ifdef for DROPBEAR_FUZZ - fix some unused variables |
files |
changeset | 5916af64acd4 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | merge from main |
files |
changeset | 35f38af1238b |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Remove accidentally committed DROPBEAR_FUZZ |
files |
changeset | fb90a5ba84e0 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Merge pull request #49 from fperrad/20170812_lint Some linting, const parameters |
files |
changeset | 06d52bcb8094 |
---|---|
branch | |
bookmark | |
tag | |
user | Francois Perrad <francois.perrad@gadz.org> |
description | Pointer parameter could be declared as pointing to const |
files |
changeset | 15d4b821bcc9 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | fix checkpubkey_line function name for TRACE |
files |
changeset | 7e95ab97d2b0 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | fix pubkey authentication return value |
files |
changeset | 9e9c8d37fd56 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | limit input size |
files |
changeset | de1d895b1cae |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | don't exit encountering short lines |
files |
changeset | 10df23099071 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | split out checkpubkey_line() separately |
files |
changeset | 8747c2b19152 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | merge 2017.75 |
files |
changeset | 0d889b068123 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | switch user when opening authorized_keys |
files |
changeset | 750ec4ec4cbe |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Convert #ifdef to #if, other build changes |
files |
changeset | 9169e4e7cbee |
---|---|
branch | |
bookmark | |
tag | |
user | Francois Perrad <francois.perrad@gadz.org> |
description | fix empty C prototypes |
files |
changeset | aaf576b27a10 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Merge pull request #13 from gazoo74/fix-warnings Fix warnings |
files |
changeset | 83025b7063ec |
---|---|
branch | |
bookmark | |
tag | |
user | Gaël PORTAY <gael.portay@gmail.com> |
description | Turn checkpubkey() and send_msg_userauth_pk_ok()'s algo argument into char * |
files |
changeset | c45d65392c1a |
---|---|
branch | |
bookmark | |
tag | |
user | Gaël PORTAY <gael.portay@gmail.com> |
description | Fix pointer differ in signess warnings [-Werror=pointer-sign] |
files |
changeset | 703c7cdd2577 |
---|---|
branch | nocircbuffer |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Fix pubkey auth after change to reuse ses.readbuf as ses.payload (4d7b4c5526c5) |
files |
changeset | b11cb2518116 |
---|---|
branch | ecc |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Don't exit fatally if authorized_keys has a line like command="something" ssh-rsa |
files |
changeset | 7540c0822374 |
---|---|
branch | ecc |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Various cleanups and fixes for warnings |
files |
changeset | a78a38e402d1 |
---|---|
branch | ecc |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | - Fix various hardcoded uses of SHA1 - rename curves to nistp256 etc - fix svr-auth.c TRACE problem |
files |
changeset | ac2158e3e403 |
---|---|
branch | ecc |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | ecc kind of works, needs fixing/testing |
files |
changeset | a98a2138364a |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Improve capitalisation for all logged strings |
files |
changeset | df7f7da7f6e4 |
---|---|
branch | pubkey-options |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | - Rework pubkey options to be more careful about buffer lengths. Needs review. |
files |
changeset | 52a644e7b8e1 |
---|---|
branch | pubkey-options |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | * Patch from Frédéric Moulins adding options to authorized_keys. Needs review. |
files |
changeset | 4317be8b7cf9 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Make a copy of passwd fields since getpwnam()'s retval isn't safe to keep |
files |
changeset | 7282370416a0 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Improve known_hosts checking. |
files |
changeset | bf64e666f99b |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Log when pubkey auth fails because of bad pubkey perms/ownership |
files |
changeset | c5d3ef11155f |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | * use own assertions which should get logged properly |
files |
changeset | 161557a9dde8 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | * fix longstanding bug with connections being closed on failure to connect to auth socket (server) * differentiate between get_byte and get_bool * get rid of some // comments * general tidying |
files |
changeset | 0cfba3034be5 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place |
files |
changeset | 364a75cfebab |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Log the IP along with auth success/fail attempts |
files |
changeset | b0316ce64e4b |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Merging in the changes from 0.41-0.43 main Dropbear tree |
files |
changeset | eee77ac31ccc |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | cleaning up the pubkey defines |
files |
changeset | 095d689fed16 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | - Hostkey checking is mostly there, just aren't appending yet. - Rearranged various bits of the fingerprint/base64 type code, so it can be shared between versions |
files |
changeset | 45edf30ea0a6 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Improved signkey code |
files |
changeset | f789045062e6 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Progressing client support |
files |
changeset | fe6bca95afa7 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Makefile.in contains updated files required |
files |