Commit 66719ee5 authored by Ed Maste's avatar Ed Maste
Browse files

Vendor import of OpenSSH 8.7p1

parent cbaad7c7
This source diff could not be displayed because it is too large. You can view the blob instead.
[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml)
[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml)
[![Upstream self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml)
[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
......@@ -22,6 +22,12 @@ LIBCRYPTOFLAGS=""
case "$config" in
default|sol64)
;;
c89)
CC="gcc"
CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
CONFIGFLAGS="--without-openssl --without-zlib"
TEST_TARGET=t-exec
;;
kitchensink)
CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
......@@ -36,15 +42,19 @@ case "$config" in
libedit)
CONFIGFLAGS="--with-libedit"
;;
pam-krb5)
CONFIGFLAGS="--with-pam --with-kerberos5"
SSHD_CONFOPTS="UsePam yes"
;;
*pam)
CONFIGFLAGS="--with-pam"
SSHD_CONFOPTS="UsePam yes"
;;
libressl-head)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl/head --with-rpath=-Wl,-rpath,"
libressl-*)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
;;
openssl-head)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl/head --with-rpath=-Wl,-rpath,"
openssl-*)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
;;
selinux)
CONFIGFLAGS="--with-selinux"
......@@ -104,11 +114,40 @@ case "$config" in
esac
case "${TARGET_HOST}" in
dfly58*|dfly60*)
# scp 3-way connection hangs on these so skip until sorted.
SKIP_LTESTS=scp3
;;
hurd)
SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
;;
minix3)
CC="clang"
LIBCRYPTOFLAGS="--without-openssl"
# Minix does not have a loopback interface so we have to skip any
# test that relies on it.
TEST_TARGET=t-exec
SKIP_LTESTS="addrmatch cfgparse key-options reexec agent connect"
SKIP_LTESTS="$SKIP_LTESTS keyscan rekey allow-deny-users connect-uri"
SKIP_LTESTS="$SKIP_LTESTS knownhosts-command sftp-uri brokenkeys"
SKIP_LTESTS="$SKIP_LTESTS exit-status login-timeout stderr-data"
SKIP_LTESTS="$SKIP_LTESTS cfgmatch forward-control multiplex transfer"
SKIP_LTESTS="$SKIP_LTESTS cfgmatchlisten forwarding reconfigure"
SUDO=""
;;
nbsd4)
# System compiler will ICE on some files with fstack-protector
CONFIGFLAGS="${CONFIGFLAGS} --without-hardening"
;;
sol10|sol11)
# sol10 VM is 32bit and the unit tests are slow.
# sol11 has 4 test configs so skip unit tests to speed up.
TEST_TARGET="tests SKIP_UNIT=1"
;;
win10)
# No sudo on Windows.
SUDO=""
;;
esac
# If we have a local openssl/libressl, use that.
......@@ -123,4 +162,9 @@ fi
CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}"
export LTESTS SUDO TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS
if [ -x "$(which plink 2>/dev/null)" ]; then
REGRESS_INTEROP_PUTTY=yes
export REGRESS_INTEROP_PUTTY
fi
export CC CFLAGS LTESTS SUDO TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS
#!/usr/bin/env bash
#!/bin/sh
. .github/configs $1 $2
. .github/configs $1
[ -z "${SUDO}" ] || ${SUDO} mkdir -p /var/empty
set -ex
output_failed_logs() {
for i in regress/failed*; do
if [ -f "$i" ]; then
echo -------------------------------------------------------------------------
echo LOGFILE $i
cat $i
echo -------------------------------------------------------------------------
fi
done
}
trap output_failed_logs 0
if [ -z "${LTESTS}" ]; then
make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}"
result=$?
else
make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}"
result=$?
fi
if [ ! -z "${SSHD_CONFOPTS}" ]; then
echo "rerunning tests with TEST_SSH_SSHD_CONFOPTS='${SSHD_CONFOPTS}'"
make t-exec TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}"
result2=$?
if [ "${result2}" -ne 0 ]; then
result="${result2}"
echo "rerunning t-exec with TEST_SSH_SSHD_CONFOPTS='${SSHD_CONFOPTS}'"
if [ -z "${LTESTS}" ]; then
make t-exec SKIP_LTESTS="${SKIP_LTESTS}" TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}"
else
make t-exec SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}" TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}"
fi
fi
if [ "$result" -ne "0" ]; then
for i in regress/failed*; do
echo -------------------------------------------------------------------------
echo LOGFILE $i
cat $i
echo -------------------------------------------------------------------------
done
fi
#!/usr/bin/env bash
#!/bin/sh
case $(./config.guess) in
*-darwin*)
......@@ -24,7 +24,7 @@ fi
for TARGET in $TARGETS; do
case $TARGET in
default|without-openssl|without-zlib)
default|without-openssl|without-zlib|c89)
# nothing to do
;;
kerberos5)
......@@ -47,11 +47,25 @@ for TARGET in $TARGETS; do
hardenedmalloc)
INSTALL_HARDENED_MALLOC=yes
;;
openssl-head)
INSTALL_OPENSSL_HEAD=yes
openssl-noec)
INSTALL_OPENSSL=OpenSSL_1_1_1k
SSLCONFOPTS="no-ec"
;;
openssl-*)
INSTALL_OPENSSL=$(echo ${TARGET} | cut -f2 -d-)
case ${INSTALL_OPENSSL} in
1.*) INSTALL_OPENSSL="OpenSSL_$(echo ${INSTALL_OPENSSL} | tr . _)" ;;
3.*) INSTALL_OPENSSL="openssl-${INSTALL_OPENSSL}" ;;
esac
PACKAGES="${PACKAGES} putty-tools"
;;
libressl-head)
INSTALL_LIBRESSL_HEAD=yes
libressl-*)
INSTALL_LIBRESSL=$(echo ${TARGET} | cut -f2 -d-)
case ${INSTALL_LIBRESSL} in
master) ;;
*) INSTALL_LIBRESSL="v$(echo ${TARGET} | cut -f2 -d-)" ;;
esac
PACKAGES="${PACKAGES} putty-tools"
;;
valgrind*)
PACKAGES="$PACKAGES valgrind"
......@@ -62,7 +76,7 @@ for TARGET in $TARGETS; do
esac
done
if [ "yes" == "$INSTALL_FIDO_PPA" ]; then
if [ "yes" = "$INSTALL_FIDO_PPA" ]; then
sudo apt update -qq
sudo apt install software-properties-common
sudo apt-add-repository ppa:yubico/stable
......@@ -80,18 +94,22 @@ if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then
make -j2 && sudo cp libhardened_malloc.so /usr/lib/)
fi
if [ "${INSTALL_OPENSSL_HEAD}" = "yes" ];then
if [ ! -z "${INSTALL_OPENSSL}" ]; then
(cd ${HOME} &&
git clone https://github.com/openssl/openssl.git &&
cd ${HOME}/openssl &&
./config no-threads no-engine no-fips no-shared --prefix=/opt/openssl/head &&
make -j2 && sudo make install_sw)
git checkout ${INSTALL_OPENSSL} &&
./config no-threads shared ${SSLCONFOPTS} \
--prefix=/opt/openssl &&
make && sudo make install_sw)
fi
if [ "${INSTALL_LIBRESSL_HEAD}" = "yes" ];then
if [ ! -z "${INSTALL_LIBRESSL}" ]; then
(mkdir -p ${HOME}/libressl && cd ${HOME}/libressl &&
git clone https://github.com/libressl-portable/portable.git &&
cd ${HOME}/libressl/portable && sh update.sh && sh autogen.sh &&
./configure --prefix=/opt/libressl/head &&
make -j2 && sudo make install_sw)
cd ${HOME}/libressl/portable &&
git checkout ${INSTALL_LIBRESSL} &&
sh update.sh && sh autogen.sh &&
./configure --prefix=/opt/libressl &&
make -j2 && sudo make install)
fi
......@@ -13,7 +13,7 @@ jobs:
fail-fast: false
matrix:
# First we test all OSes in the default configuration.
os: [ubuntu-20.04, ubuntu-18.04, ubuntu-16.04, macos-10.15]
os: [ubuntu-20.04, ubuntu-18.04, macos-10.15, macos-11.0]
configs: [default]
# Then we include any extra configs we want to test for specific VMs.
# Valgrind slows things down quite a bit, so start them first.
......@@ -23,11 +23,23 @@ jobs:
- { os: ubuntu-20.04, configs: valgrind-3 }
- { os: ubuntu-20.04, configs: valgrind-4 }
- { os: ubuntu-20.04, configs: valgrind-unit }
- { os: ubuntu-20.04, configs: c89 }
- { os: ubuntu-20.04, configs: pam }
- { os: ubuntu-20.04, configs: kitchensink }
- { os: ubuntu-20.04, configs: hardenedmalloc }
- { os: ubuntu-20.04, configs: libressl-head }
- { os: ubuntu-20.04, configs: openssl-head }
- { os: ubuntu-latest, configs: libressl-master }
- { os: ubuntu-latest, configs: libressl-2.2.9 }
- { os: ubuntu-latest, configs: libressl-2.8.3 }
- { os: ubuntu-latest, configs: libressl-3.0.2 }
- { os: ubuntu-latest, configs: libressl-3.2.5 }
- { os: ubuntu-latest, configs: openssl-master }
- { os: ubuntu-latest, configs: openssl-noec }
- { os: ubuntu-latest, configs: openssl-1.0.1 }
- { os: ubuntu-latest, configs: openssl-1.0.1u }
- { os: ubuntu-latest, configs: openssl-1.0.2u }
- { os: ubuntu-latest, configs: openssl-1.1.0h }
- { os: ubuntu-latest, configs: openssl-1.1.1 }
- { os: ubuntu-latest, configs: openssl-1.1.1k }
- { os: ubuntu-18.04, configs: pam }
- { os: ubuntu-18.04, configs: kerberos5 }
- { os: ubuntu-18.04, configs: libedit }
......@@ -35,9 +47,8 @@ jobs:
- { os: ubuntu-18.04, configs: selinux }
- { os: ubuntu-18.04, configs: kitchensink }
- { os: ubuntu-18.04, configs: without-openssl }
- { os: ubuntu-16.04, configs: pam }
- { os: ubuntu-16.04, configs: kitchensink }
- { os: macos-10.15, configs: pam }
- { os: macos-11.0, configs: pam }
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v2
......@@ -52,7 +63,6 @@ jobs:
- name: make tests
run: ./.github/run_test.sh ${{ matrix.configs }}
env:
SUDO: sudo
TEST_SSH_UNSAFE_PERMISSIONS: 1
- name: save logs
if: failure()
......
......@@ -10,27 +10,60 @@ jobs:
runs-on: ${{ matrix.os }}
env:
TARGET_HOST: ${{ matrix.os }}
SUDO: sudo
strategy:
fail-fast: false
# We use a matrix in two parts: firstly all of the VMs are tested with the
# default config. "vm" corresponds to a label associated with the worker.
# default config. "os" corresponds to a label associated with the worker.
matrix:
os: [bbone, dfly30, dfly48, dfly58, fbsd6, fbsd7, fbsd12, sol10, sol11]
os:
- ARM64
- bbone
- dfly30
- dfly48
- dfly58
- dfly60
- fbsd6
- fbsd10
- fbsd12
- fbsd13
- hurd
- minix3
# - nbsd2
- nbsd3
- nbsd4
- nbsd8
- nbsd9
- obsd51
- obsd67
- obsd68
- obsd69
- obsdsnap
- openindiana
# - rocky84
- sol10
- sol11
- win10
configs:
- default
# Then we include any extra configs we want to test for specific VMs.
include:
- { os: dfly30, configs: without-openssl}
- { os: dfly48, configs: pam }
- { os: dfly58, configs: pam }
- { os: fbsd6, configs: pam }
- { os: fbsd7, configs: pam }
- { os: fbsd12, configs: pam }
- { os: sol10, configs: pam }
- { os: sol11, configs: pam }
- { os: sol11, configs: sol64 }
# - { os: sol11, configs: sol64-pam }
- { os: ARM64, configs: pam }
- { os: dfly30, configs: without-openssl}
- { os: dfly48, configs: pam }
- { os: dfly58, configs: pam }
- { os: dfly60, configs: pam }
- { os: fbsd6, configs: pam }
- { os: fbsd10, configs: pam }
- { os: fbsd12, configs: pam }
- { os: fbsd13, configs: pam }
- { os: nbsd8, configs: pam }
- { os: nbsd9, configs: pam }
- { os: openindiana, configs: pam }
# - { os: rocky84, configs: pam }
- { os: sol10, configs: pam }
- { os: sol11, configs: pam-krb5 }
- { os: sol11, configs: sol64 }
# - { os: sol11, configs: sol64-pam }
steps:
- uses: actions/checkout@v2
- name: autoreconf
......
name: Upstream self-hosted
on:
push:
branches: [ master, ci ]
jobs:
selfhosted:
if: github.repository == 'openssh/openssh-portable-selfhosted'
runs-on: ${{ matrix.os }}
env:
TARGET_HOST: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ obsdsnap, obsdsnap-i386, obsd69, obsd68 ]
configs: [ default, without-openssl ]
steps:
- uses: actions/checkout@v2
- name: shutdown VM if running
run: vmshutdown
- name: startup VM
run: vmstartup
- name: update source
run: vmrun "cd /usr/src && cvs up -dPA usr.bin/ssh regress/usr.bin/ssh"
- name: make clean
run: vmrun "cd /usr/src/usr.bin/ssh && make obj && make clean"
- name: make
run: vmrun "cd /usr/src/usr.bin/ssh && if test '${{ matrix.configs }}' = 'without-openssl'; then make OPENSSL=no; else make; fi"
- name: make install
run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install"
- name: make tests
run: vmrun "cd /usr/src/regress/usr.bin/ssh && make obj && make clean && if test '${{ matrix.configs }}' = 'without-openssl'; then make SUDO=sudo OPENSSL=no; else make SUDO=sudo; fi"
- name: save logs
if: failure()
uses: actions/upload-artifact@v2
with:
name: ${{ matrix.os }}-${{ matrix.configs }}-logs
path: |
/usr/obj/regress/usr.bin/ssh/*.log
- name: shutdown VM
if: always()
run: vmshutdown
This diff is collapsed.
......@@ -261,8 +261,8 @@ Replacing /etc/ssh with the correct path to the configuration directory.
(${prefix}/etc or whatever you specified with --sysconfdir during
configuration).
If you have configured OpenSSH with EGD support, ensure that EGD is
running and has collected some Entropy.
If you have configured OpenSSH with EGD/prngd support, ensure that EGD or
prngd is running and has collected some entropy first.
For more information on configuration, please refer to the manual pages
for sshd, ssh and ssh-agent.
......
......@@ -131,7 +131,9 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
sandbox-solaris.o uidswap.o $(SKOBJS)
SCP_OBJS= scp.o progressmeter.o
SFTP_CLIENT_OBJS=sftp-common.o sftp-client.o sftp-glob.o
SCP_OBJS= scp.o progressmeter.o $(SFTP_CLIENT_OBJS)
SSHADD_OBJS= ssh-add.o $(SKOBJS)
......@@ -149,7 +151,7 @@ SSHKEYSCAN_OBJS=ssh-keyscan.o $(SKOBJS)
SFTPSERVER_OBJS=sftp-common.o sftp-server.o sftp-server-main.o
SFTP_OBJS= sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
SFTP_OBJS= sftp.o progressmeter.o $(SFTP_CLIENT_OBJS)
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
......@@ -235,7 +237,7 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
......@@ -648,7 +650,8 @@ UNITTESTS_TEST_MISC_OBJS=\
regress/unittests/misc/test_parse.o \
regress/unittests/misc/test_expand.o \
regress/unittests/misc/test_convtime.o \
regress/unittests/misc/test_argv.o
regress/unittests/misc/test_argv.o \
regress/unittests/misc/test_strdelim.o
regress/unittests/misc/test_misc$(EXEEXT): \
${UNITTESTS_TEST_MISC_OBJS} \
......@@ -701,7 +704,7 @@ regress-unit-binaries: regress-prep $(REGRESSLIBS) \
regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
regress/unittests/sshkey/test_sshkey$(EXEEXT) \
regress/unittests/sshsig/test_sshsig$(EXEEXT) \
regress/unittests/utf8/test_utf8$(EXEEXT) \
regress/unittests/utf8/test_utf8$(EXEEXT)
tests: file-tests t-exec interop-tests unit
echo all tests passed
......
......@@ -525,6 +525,25 @@ limits.
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
3.9. sftp: Extension request "expand-path@openssh.com"
This request supports canonicalisation of relative paths and
those that need tilde-expansion, i.e. "~", "~/..." and "~user/..."
These paths are expanded using shell-like rules and the resultant
path is canonicalised similarly to SSH2_FXP_REALPATH.
It is implemented as a SSH_FXP_EXTENDED request with the following
format:
uint32 id
string "expand-path@openssh.com"
string path
Its reply is the same format as that of SSH2_FXP_REALPATH.
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
4. Miscellaneous changes
4.1 Public key format
......@@ -556,4 +575,4 @@ OpenSSH's connection multiplexing uses messages as described in
PROTOCOL.mux over a Unix domain socket for communications between a
master instance and later clients.
$OpenBSD: PROTOCOL,v 1.41 2021/02/18 02:49:35 djm Exp $
$OpenBSD: PROTOCOL,v 1.42 2021/08/09 23:47:44 djm Exp $
......@@ -45,7 +45,7 @@ SHA-2 signatures (SHA-256 and SHA-512 respectively):
rsa-sha2-512-cert-v01@openssh.com
These RSA/SHA-2 types should not appear in keys at rest or transmitted
on their wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms
on the wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms
field or in the "public key algorithm name" field of a "publickey"
SSH_USERAUTH_REQUEST to indicate that the signature will use the
specified algorithm.
......@@ -159,12 +159,11 @@ p, q, g, y are the DSA parameters as described in FIPS-186-2.
curve and public key are respectively the ECDSA "[identifier]" and "Q"
defined in section 3.1 of RFC5656.
pk is the encoded Ed25519 public key as defined by
draft-josefsson-eddsa-ed25519-03.
pk is the encoded Ed25519 public key as defined by RFC8032.
serial is an optional certificate serial number set by the CA to
provide an abbreviated way to refer to certificates from that CA.
If a CA does not wish to number its certificates it must set this
If a CA does not wish to number its certificates, it must set this
field to zero.
type specifies whether this certificate is for identification of a user
......@@ -217,13 +216,13 @@ signature is computed over all preceding fields from the initial string
up to, and including the signature key. Signatures are computed and
encoded according to the rules defined for the CA's public key algorithm
(RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA
types), and draft-josefsson-eddsa-ed25519-03 for Ed25519.
types, and RFC8032 for Ed25519).
Critical options
----------------
The critical options section of the certificate specifies zero or more
options on the certificates validity. The format of this field
options on the certificate's validity. The format of this field
is a sequence of zero or more tuples:
string name
......@@ -234,7 +233,7 @@ sequence. Each named option may only appear once in a certificate.
The name field identifies the option and the data field encodes
option-specific information (see below). All options are
"critical", if an implementation does not recognise a option
"critical"; if an implementation does not recognise a option,
then the validating party should refuse to accept the certificate.
Custom options should append the originating author or organisation's
......@@ -256,10 +255,18 @@ source-address string Comma-separated list of source addresses
for authentication. Addresses are
specified in CIDR format (nn.nn.nn.nn/nn
or hhhh::hhhh/nn).
If this option is not present then
If this option is not present, then
certificates may be presented from any
source address.
verify-required empty Flag indicating that signatures made
with this certificate must assert FIDO
user verification (e.g. PIN or
biometric). This option only makes sense
for the U2F/FIDO security key types that
support this feature in their signature
formats.
Extensions
----------
......@@ -280,11 +287,11 @@ their data fields are:
Name Format Description
-----------------------------------------------------------------------------
no-presence-required empty Flag indicating that signatures made
no-touch-required empty Flag indicating that signatures made
with this certificate need not assert
user presence. This option only make
sense for the U2F/FIDO security key
types that support this feature in
FIDO user presence. This option only
makes sense for the U2F/FIDO security
key types that support this feature in
their signature formats.
permit-X11-forwarding empty Flag indicating that X11 forwarding
......@@ -298,7 +305,7 @@ permit-agent-forwarding empty Flag indicating that agent forwarding
permit-port-forwarding empty Flag indicating that port-forwarding
should be allowed. If this option is
not present then no port forwarding will
not present, then no port forwarding will
be allowed.
permit-pty empty Flag indicating that PTY allocation
......@@ -311,4 +318,4 @@ permit-user-rc empty Flag indicating that execution of
of this script will not be permitted if
this option is not present.
$OpenBSD: PROTOCOL.certkeys,v 1.17 2019/11/25 00:57:51 djm Exp $
$OpenBSD: PROTOCOL.certkeys,v 1.19 2021/06/05 13:47:00 naddy Exp $
......@@ -35,9 +35,9 @@ of the cipher block size.
uint32 checkint
uint32 checkint
string privatekey1
byte[] privatekey1
string comment1
string privatekey2
byte[] privatekey2
string comment2
...
string privatekeyN
......@@ -48,6 +48,9 @@ of the cipher block size.
...
char padlen % 255
where each private key is encoded using the same rules as used for
SSH agent.
Before the key is encrypted, a random integer is assigned
to both checkint fields so successful decryption can be
quickly checked by verifying that both checkint fields
......@@ -65,4 +68,4 @@ For unencrypted keys the cipher "none" and the KDF "none"
are used with empty passphrases. The options if the KDF "none"
are the empty string.
$OpenBSD: PROTOCOL.key,v 1.1 2013/12/06 13:34:54 markus Exp $
$OpenBSD: PROTOCOL.key,v 1.2 2021/05/07 02:29:40 djm Exp $
See https://www.openssh.com/releasenotes.html#8.6p1 for the release notes.
See https://www.openssh.com/releasenotes.html#8.7p1 for the release notes.
Please read https://www.openssh.com/report.html for bug reporting
instructions and note that we do not use Github for bug reporting or
......