#
296781 |
|
12-Mar-2016 |
des |
MFH (r296633): upgrade to 7.2p2 (fixes xauth command injection bug) MFH (r296634): re-add aes-cbc to server-side default cipher list MFH (r296651, r296657): fix gcc build of pam_ssh
PR: 207679 Security: CVE-2016-3115
|
#
295367 |
|
07-Feb-2016 |
des |
MFH (r265214, r294333, r294407, r294467): misc prop fixes MFH (r285975, r287143): register mergeinfo for security fixes MFH (r294497, r294498, r295139): internal documentation MFH (r294328): upgrade to openssh 6.7p1, re-add libwrap MFH (r294332): upgrade to openssh 6.8p1 MFH (r294367): update pam_ssh for api changes MFH (r294909): switch usedns back on MFH (r294336): upgrade to openssh 6.9p1 MFH (r294495): re-enable dsa keys MFH (r294464): upgrade to openssh 7.0p1 MFH (r294496): upgrade to openssh 7.1p2
Approved by: re (gjb) Relnotes: yes
|
#
256281 |
|
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
236106 |
|
26-May-2012 |
des |
Passing NULL as a key casues a segfault when loading SSH 1 keys. Use an empty string instead.
|
#
227757 |
|
20-Nov-2011 |
des |
key_load_private() ignores the passphrase argument if the private key is unencrypted. This defeats the nullok check, because it means a non-null passphrase will successfully unlock the key.
To address this, try at first to load the key without a passphrase. If this succeeds and the user provided a non-empty passphrase *or* nullok is false, reject the key.
MFC after: 1 week Noticed by: Guy Helmer <guy.helmer@palisadesystems.com>
|
#
226101 |
|
07-Oct-2011 |
des |
Load the ECDSA key if there is one.
MFC after: 1 week
|
#
219426 |
|
09-Mar-2011 |
des |
No newline required.
MFC after: 2 weeks
|
#
204917 |
|
09-Mar-2010 |
des |
Upgrade to OpenSSH 5.4p1.
MFC after: 1 month
|
#
174837 |
|
21-Dec-2007 |
des |
Adjust for OpenPAM Hydrangea.
|
#
162900 |
|
30-Sep-2006 |
ru |
Fix build.
|
#
150596 |
|
26-Sep-2005 |
des |
Correct the logic for determining whether the user has already entered a password. Also, work around some harmless type pun warnings.
MFC after: 3 days
|
#
150455 |
|
22-Sep-2005 |
des |
Do not use passphraseless keys for authentication unless the nullok option was specified.
PR: bin/81231 Submitted by: "Daniel O'Connor" <doconnor@gsoft.com.au> MFC after: 3 days
|
#
150426 |
|
21-Sep-2005 |
des |
Narrow the use of user credentials. Fix one case where openpam_restore_cred() might be called twice in a row.
MFC after: 3 days
|
#
125650 |
|
10-Feb-2004 |
des |
Fix numerous constness and aliasing issues.
|
#
120231 |
|
19-Sep-2003 |
des |
Ignore ECHILD from waitpid(2) (our child may have been reaped by the calling process's SIGCHLD handler)
PR: bin/45669
|
#
110653 |
|
10-Feb-2003 |
des |
Use pam_get_user(3) instead of pam_get_item(3) where appropriate.
|
#
110598 |
|
09-Feb-2003 |
des |
Complete rewrite of pam_ssh(8). The previous version was becoming hard to maintain, and had security issues which would have required a major rewrite to address anyway.
This implementation currently starts a separate agent for each session instead of connecting each new session to the agent started by the first one. While this would be a Good Thing (and the old pam_ssh(8) tried to do it), it's hard to get right. I'll revisit this issue when I've had a chance to test some modifications to ssh-agent(1).
|
#
107934 |
|
16-Dec-2002 |
des |
Merge in most non-style differences from Andrew Korty's pam_ssh 1.7.
|
#
94564 |
|
12-Apr-2002 |
des |
Major cleanup:
- add __unused where appropriate - PAM_RETURN -> return since OpenPAM already logs the return value. - make PAM_LOG use openpam_log() - make PAM_VERBOSE_ERROR use openpam_get_option() and check flags for PAM_SILENT - remove dummy functions since OpenPAM handles missing service functions - fix various warnings
Sponsored by: DARPA, NAI Labs
|
#
94217 |
|
08-Apr-2002 |
des |
Remove debugging code that was inadvertantly brought in by previous commit.
|
#
94216 |
|
08-Apr-2002 |
des |
Use OpenPAM's credential switching functions.
Sponsored by: DARPA, NAI Labs
|
#
93984 |
|
06-Apr-2002 |
des |
Aggressive cleanup of warnings + authtok-related code in preparation for PAMifying passwd(1).
Sponsored by: DARPA, NAI Labs.
|
#
93907 |
|
05-Apr-2002 |
des |
Remove some duplicate free()s and add some that were missing.
Submitted by: tmm
|
#
93875 |
|
05-Apr-2002 |
des |
pam_get_pass() -> pam_get_authtok()
|
#
93804 |
|
04-Apr-2002 |
des |
Upgrade to something quite close, but not identical, to version 1.6 of Andrew Korty's pam_ssh. The most notable difference is that this uses commas rather than colons to separate items in the "keyfiles" option.
Sponsored by: DARPA, NAI Labs
|
#
92297 |
|
14-Mar-2002 |
des |
NAI DBA update.
|
#
91714 |
|
05-Mar-2002 |
des |
Switch to OpenPAM. Bump library version. Modules are now versioned, so applications linked with Linux-PAM will still work. Remove pam_get_pass(); OpenPAM has pam_get_authtok(). Remove pam_prompt(); OpenPAM has pam_{,v}{error,info,prompt}(). Remove pam_set_item(3) man page as OpenPAM has its own.
Sponsored by: DARPA, NAI Labs
|
#
90229 |
|
05-Feb-2002 |
des |
#include cleanup.
Sponsored by: DARPA, NAI Labs
|
#
90195 |
|
04-Feb-2002 |
des |
ssh_get_authentication_connection() gets its parameters from environment variables, so temporarily switch to the PAM environment before calling it.
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
|
#
89760 |
|
24-Jan-2002 |
markm |
WARNS=4 fixes. Protect with NO_WERROR for the modules that have warnings that are hard to fix or that I've been asked to leave alone.
|
#
89753 |
|
24-Jan-2002 |
des |
PAM modules shouldn't call putenv(); pam_putenv() is sufficient. The caller is supposed to check the PAM envlist and export the variables it contains; if it doesn't, it's broken.
Sponsored by: DARPA, NAI Labs
|
#
89703 |
|
23-Jan-2002 |
ru |
Make libssh.so useable (undefined reference to IPv4or6).
Reviewed by: des, markm Approved by: markm
|
#
87564 |
|
09-Dec-2001 |
des |
Back out previous commit.
Requested by: ru
|
#
87488 |
|
07-Dec-2001 |
des |
Get pam_mod_misc.h from .CURDIR rather than .OBJDIR or /usr/include.
Sponsored by: DARPA, NAI Labs
|
#
87398 |
|
05-Dec-2001 |
des |
Add dummy functions for all module types. These dummies return PAM_IGNORE rather than PAM_SUCCESS, so you'll get a failure if you list dummies but no real modules for a particular module chain.
Sponsored by: DARPA, NAI Labs
|
#
87098 |
|
29-Nov-2001 |
green |
Fix pam_ssh by adding an IPv4or6 (evidently, this was broken by my last OpenSSH import) declaration and strdup(3)ing a value which is later free(3)d, rather than letting the system try to free it invalidly.
|
#
84218 |
|
30-Sep-2001 |
dillon |
Add __FBSDID()s to libpam
|
#
81527 |
|
11-Aug-2001 |
markm |
Fix:
/usr/src/lib/libpam/modules/pam_ssh/pam_ssh.c has couple of bugs which cause:
1) xdm dumps core 2) ssh1 private key is not passed to ssh-agent 3) ssh2 RSA key seems not handled properly (just a guess from source) 4) ssh_get_authentication_connectionen() fails to get connection because of SSH_AUTH_SOCK not defined.
PR: 29609 Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
|
#
81476 |
|
10-Aug-2001 |
markm |
Code clean up; make logging same as other modules and fix warnings.
|
#
81143 |
|
04-Aug-2001 |
markm |
Fix style/consistency in Makefile and repair static module building.
Submitted by: bde(partially)
|
#
81036 |
|
02-Aug-2001 |
markm |
Repair the get/set UID() stuff so this works in both su(1) and login(1) modes.
|
#
80542 |
|
29-Jul-2001 |
markm |
(Re)Add an SSH module for PAM, heavily based on Andrew Korty's module from ports.
|
#
69590 |
|
05-Dec-2000 |
green |
Forgot to remove the old line in the last commit.
|
#
69130 |
|
25-Nov-2000 |
green |
In env_destroy(), it is a bad idea to env_swap(self, 0) to switch back to the original environ unconditionally. The setting of the variable to save the previous environ is conditional; it happens when ENV.e_committed is set. Therefore, don't try to swap the env back unless the previous env has been initialized.
PR: bin/22670 Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
|
#
69129 |
|
24-Nov-2000 |
billf |
Correct an arguement to ssh_add_identity, this matches what is currently in ports/security/openssh/files/pam_ssh.c
PR: 22164 Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp> Reviewed by: green Approved by: green
|
#
63249 |
|
16-Jul-2000 |
peter |
Forced commit. This is to try and help folks that used the international crypto repo and have slightly different files but with the same version. cvsup in 'checkout mode' has no trouble with this, but cvs can get really silly about it.
|
#
61087 |
|
30-May-2000 |
kris |
Update to the version of pam_ssh corresponding to OpenSSH 2.1 (taken from the openssh port)
Submitted by: Hajimu UMEMOTO <ume@mahoroba.org>
|
#
60938 |
|
26-May-2000 |
jake |
Back out the previous change to the queue(3) interface. It was not discussed and should probably not happen.
Requested by: msmith and others
|
#
60833 |
|
23-May-2000 |
jake |
Change the way that the queue(3) structures are declared; don't assume that the type argument to *_HEAD and *_ENTRY is a struct.
Suggested by: phk Reviewed by: phk Approved by: mdodd
|
#
58772 |
|
29-Mar-2000 |
kris |
Fix a memory leak.
PR: 17360 Submitted by: Andrew J. Korty <ajk@iu.edu>
|
#
57496 |
|
26-Feb-2000 |
peter |
Redo this with a repo copy from the original file and reset the __PREFIX__ markers.
|
#
55166 |
|
28-Dec-1999 |
green |
Upgrade to the pam_ssh module, version 1.1..
(From the author:) Primarily, I have added built-in functions for manipulating the environment, so putenv() is no longer used. XDM and its variants should now work without modification. Note that the new code uses the macros in <sys/queue.h>.
Submitted by: Andrew J. Korty <ajk@iu.edu>
|
#
53874 |
|
29-Nov-1999 |
green |
Add the PAM SSH RSA key authentication module. For example, you can add, "login auth sufficient pam_ssh.so" to your /etc/pam.conf, and users with a ~/.ssh/identity can login(1) with their SSH key :)
PR: 15158 Submitted by: Andrew J. Korty <ajk@waterspout.com> Reviewed by: obrien
|