| #
296781 |
|
12-Mar-2016 |
des |
MFH (r296633): upgrade to 7.2p2 (fixes xauth command injection bug)
MFH (r296634): re-add aes-cbc to server-side default cipher list
MFH (r296651, r296657): fix gcc build of pam_ssh
PR: 207679
Security: CVE-2016-3115
|
| #
295367 |
|
07-Feb-2016 |
des |
MFH (r265214, r294333, r294407, r294467): misc prop fixes
MFH (r285975, r287143): register mergeinfo for security fixes
MFH (r294497, r294498, r295139): internal documentation
MFH (r294328): upgrade to openssh 6.7p1, re-add libwrap
MFH (r294332): upgrade to openssh 6.8p1
MFH (r294367): update pam_ssh for api changes
MFH (r294909): switch usedns back on
MFH (r294336): upgrade to openssh 6.9p1
MFH (r294495): re-enable dsa keys
MFH (r294464): upgrade to openssh 7.0p1
MFH (r294496): upgrade to openssh 7.1p2
Approved by: re (gjb)
Relnotes: yes
|
| #
256281 |
|
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation |
| #
236106 |
|
26-May-2012 |
des |
Passing NULL as a key casues a segfault when loading SSH 1 keys. Use
an empty string instead.
|
| #
227757 |
|
20-Nov-2011 |
des |
key_load_private() ignores the passphrase argument if the private key
is unencrypted. This defeats the nullok check, because it means a
non-null passphrase will successfully unlock the key.
To address this, try at first to load the key without a passphrase.
If this succeeds and the user provided a non-empty passphrase *or*
nullok is false, reject the key.
MFC after: 1 week
Noticed by: Guy Helmer <guy.helmer@palisadesystems.com>
|
| #
226101 |
|
07-Oct-2011 |
des |
Load the ECDSA key if there is one.
MFC after: 1 week
|
| #
219426 |
|
09-Mar-2011 |
des |
No newline required.
MFC after: 2 weeks
|
| #
204917 |
|
09-Mar-2010 |
des |
Upgrade to OpenSSH 5.4p1.
MFC after: 1 month
|
| #
174837 |
|
21-Dec-2007 |
des |
Adjust for OpenPAM Hydrangea.
|
| #
162900 |
|
30-Sep-2006 |
ru |
Fix build.
|
| #
150596 |
|
26-Sep-2005 |
des |
Correct the logic for determining whether the user has already entered
a password. Also, work around some harmless type pun warnings.
MFC after: 3 days
|
| #
150455 |
|
22-Sep-2005 |
des |
Do not use passphraseless keys for authentication unless the nullok
option was specified.
PR: bin/81231
Submitted by: "Daniel O'Connor" <doconnor@gsoft.com.au>
MFC after: 3 days
|
| #
150426 |
|
21-Sep-2005 |
des |
Narrow the use of user credentials.
Fix one case where openpam_restore_cred() might be called twice in a row.
MFC after: 3 days
|
| #
125650 |
|
10-Feb-2004 |
des |
Fix numerous constness and aliasing issues.
|
| #
120231 |
|
19-Sep-2003 |
des |
Ignore ECHILD from waitpid(2) (our child may have been reaped by the
calling process's SIGCHLD handler)
PR: bin/45669
|
| #
110653 |
|
10-Feb-2003 |
des |
Use pam_get_user(3) instead of pam_get_item(3) where appropriate.
|
| #
110598 |
|
09-Feb-2003 |
des |
Complete rewrite of pam_ssh(8). The previous version was becoming hard
to maintain, and had security issues which would have required a major
rewrite to address anyway.
This implementation currently starts a separate agent for each session
instead of connecting each new session to the agent started by the first
one. While this would be a Good Thing (and the old pam_ssh(8) tried to
do it), it's hard to get right. I'll revisit this issue when I've had a
chance to test some modifications to ssh-agent(1).
|
| #
107934 |
|
16-Dec-2002 |
des |
Merge in most non-style differences from Andrew Korty's pam_ssh 1.7.
|
| #
94564 |
|
12-Apr-2002 |
des |
Major cleanup:
- add __unused where appropriate
- PAM_RETURN -> return since OpenPAM already logs the return value.
- make PAM_LOG use openpam_log()
- make PAM_VERBOSE_ERROR use openpam_get_option() and check flags
for PAM_SILENT
- remove dummy functions since OpenPAM handles missing service
functions
- fix various warnings
Sponsored by: DARPA, NAI Labs
|
| #
94217 |
|
08-Apr-2002 |
des |
Remove debugging code that was inadvertantly brought in by previous commit.
|
| #
94216 |
|
08-Apr-2002 |
des |
Use OpenPAM's credential switching functions.
Sponsored by: DARPA, NAI Labs
|
| #
93984 |
|
06-Apr-2002 |
des |
Aggressive cleanup of warnings + authtok-related code in preparation for
PAMifying passwd(1).
Sponsored by: DARPA, NAI Labs.
|
| #
93907 |
|
05-Apr-2002 |
des |
Remove some duplicate free()s and add some that were missing.
Submitted by: tmm
|
| #
93875 |
|
05-Apr-2002 |
des |
pam_get_pass() -> pam_get_authtok()
|
| #
93804 |
|
04-Apr-2002 |
des |
Upgrade to something quite close, but not identical, to version 1.6 of
Andrew Korty's pam_ssh. The most notable difference is that this uses
commas rather than colons to separate items in the "keyfiles" option.
Sponsored by: DARPA, NAI Labs
|
| #
92297 |
|
14-Mar-2002 |
des |
NAI DBA update.
|
| #
91714 |
|
05-Mar-2002 |
des |
Switch to OpenPAM. Bump library version. Modules are now versioned, so
applications linked with Linux-PAM will still work.
Remove pam_get_pass(); OpenPAM has pam_get_authtok().
Remove pam_prompt(); OpenPAM has pam_{,v}{error,info,prompt}().
Remove pam_set_item(3) man page as OpenPAM has its own.
Sponsored by: DARPA, NAI Labs
|
| #
90229 |
|
05-Feb-2002 |
des |
#include cleanup.
Sponsored by: DARPA, NAI Labs
|
| #
90195 |
|
04-Feb-2002 |
des |
ssh_get_authentication_connection() gets its parameters from environment
variables, so temporarily switch to the PAM environment before calling it.
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
|
| #
89760 |
|
24-Jan-2002 |
markm |
WARNS=4 fixes. Protect with NO_WERROR for the modules that have
warnings that are hard to fix or that I've been asked to leave alone.
|
| #
89753 |
|
24-Jan-2002 |
des |
PAM modules shouldn't call putenv(); pam_putenv() is sufficient. The
caller is supposed to check the PAM envlist and export the variables it
contains; if it doesn't, it's broken.
Sponsored by: DARPA, NAI Labs
|
| #
89703 |
|
23-Jan-2002 |
ru |
Make libssh.so useable (undefined reference to IPv4or6).
Reviewed by: des, markm
Approved by: markm
|
| #
87564 |
|
09-Dec-2001 |
des |
Back out previous commit.
Requested by: ru
|
| #
87488 |
|
07-Dec-2001 |
des |
Get pam_mod_misc.h from .CURDIR rather than .OBJDIR or /usr/include.
Sponsored by: DARPA, NAI Labs
|
| #
87398 |
|
05-Dec-2001 |
des |
Add dummy functions for all module types. These dummies return PAM_IGNORE
rather than PAM_SUCCESS, so you'll get a failure if you list dummies but
no real modules for a particular module chain.
Sponsored by: DARPA, NAI Labs
|
| #
87098 |
|
29-Nov-2001 |
green |
Fix pam_ssh by adding an IPv4or6 (evidently, this was broken by my last
OpenSSH import) declaration and strdup(3)ing a value which is later
free(3)d, rather than letting the system try to free it invalidly.
|
| #
84218 |
|
30-Sep-2001 |
dillon |
Add __FBSDID()s to libpam
|
| #
81527 |
|
11-Aug-2001 |
markm |
Fix:
/usr/src/lib/libpam/modules/pam_ssh/pam_ssh.c has couple of bugs which cause:
1) xdm dumps core
2) ssh1 private key is not passed to ssh-agent
3) ssh2 RSA key seems not handled properly (just a guess from source)
4) ssh_get_authentication_connectionen() fails to get connection because of
SSH_AUTH_SOCK not defined.
PR: 29609
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
|
| #
81476 |
|
10-Aug-2001 |
markm |
Code clean up; make logging same as other modules and fix warnings.
|
| #
81143 |
|
04-Aug-2001 |
markm |
Fix style/consistency in Makefile and repair static module building.
Submitted by: bde(partially)
|
| #
81036 |
|
02-Aug-2001 |
markm |
Repair the get/set UID() stuff so this works in both su(1) and login(1)
modes.
|
| #
80542 |
|
29-Jul-2001 |
markm |
(Re)Add an SSH module for PAM, heavily based on Andrew Korty's module
from ports.
|
| #
69590 |
|
05-Dec-2000 |
green |
Forgot to remove the old line in the last commit.
|
| #
69130 |
|
25-Nov-2000 |
green |
In env_destroy(), it is a bad idea to env_swap(self, 0) to switch
back to the original environ unconditionally. The setting of the
variable to save the previous environ is conditional; it happens when
ENV.e_committed is set. Therefore, don't try to swap the env back
unless the previous env has been initialized.
PR: bin/22670
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
|
| #
69129 |
|
24-Nov-2000 |
billf |
Correct an arguement to ssh_add_identity, this matches what is currently
in ports/security/openssh/files/pam_ssh.c
PR: 22164
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
Reviewed by: green
Approved by: green
|
| #
63249 |
|
16-Jul-2000 |
peter |
Forced commit. This is to try and help folks that used the international
crypto repo and have slightly different files but with the same version.
cvsup in 'checkout mode' has no trouble with this, but cvs can get really
silly about it.
|
| #
61087 |
|
30-May-2000 |
kris |
Update to the version of pam_ssh corresponding to OpenSSH 2.1 (taken
from the openssh port)
Submitted by: Hajimu UMEMOTO <ume@mahoroba.org>
|
| #
60938 |
|
26-May-2000 |
jake |
Back out the previous change to the queue(3) interface.
It was not discussed and should probably not happen.
Requested by: msmith and others
|
| #
60833 |
|
23-May-2000 |
jake |
Change the way that the queue(3) structures are declared; don't assume that
the type argument to *_HEAD and *_ENTRY is a struct.
Suggested by: phk
Reviewed by: phk
Approved by: mdodd
|
| #
58772 |
|
29-Mar-2000 |
kris |
Fix a memory leak.
PR: 17360
Submitted by: Andrew J. Korty <ajk@iu.edu>
|
| #
57496 |
|
26-Feb-2000 |
peter |
Redo this with a repo copy from the original file and reset the
__PREFIX__ markers.
|
| #
55166 |
|
28-Dec-1999 |
green |
Upgrade to the pam_ssh module, version 1.1..
(From the author:)
Primarily, I have added built-in functions for manipulating the
environment, so putenv() is no longer used. XDM and its variants
should now work without modification. Note that the new code uses
the macros in <sys/queue.h>.
Submitted by: Andrew J. Korty <ajk@iu.edu>
|
| #
53874 |
|
29-Nov-1999 |
green |
Add the PAM SSH RSA key authentication module. For example, you can add,
"login auth sufficient pam_ssh.so" to your /etc/pam.conf, and
users with a ~/.ssh/identity can login(1) with their SSH key :)
PR: 15158
Submitted by: Andrew J. Korty <ajk@waterspout.com>
Reviewed by: obrien
|