[openssh-commits] [openssh] branch master updated (95344c25 -> 7d68e262)
git+noreply at mindrot.org
git+noreply at mindrot.org
Tue Jul 3 23:39:37 AEST 2018
This is an automated email from the git hooks/post-receive script.
djm pushed a change to branch master
in repository openssh.
from 95344c25 upstream: allow sshd_config PermitUserEnvironment to accept a
new 4ba0d547 upstream: Improve strictness and control over RSA-SHA2 signature
new 2f30300c upstream: crank version number to 7.8; needed for new compat flag
new d78b75df upstream: check correct variable; unbreak agent keys
new b4d4eda6 upstream: some finesse to fix RSA-SHA2 certificate authentication
new 7d68e262 depend
The 5 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.
Detailed log of new commits:
commit 7d68e262944c1fff1574600fe0e5e92ec8b398f5
Author: Damien Miller <djm at mindrot.org>
Date: Tue Jul 3 23:27:11 2018 +1000
depend
commit b4d4eda633af433d20232cbf7e855ceac8b83fe5
Author: djm at openbsd.org <djm at openbsd.org>
Date: Tue Jul 3 13:20:25 2018 +0000
upstream: some finesse to fix RSA-SHA2 certificate authentication
for certs hosted in ssh-agent
OpenBSD-Commit-ID: e5fd5edd726137dda2d020e1cdebc464110a010f
commit d78b75df4a57e0f92295f24298e5f2930e71c172
Author: djm at openbsd.org <djm at openbsd.org>
Date: Tue Jul 3 13:07:58 2018 +0000
upstream: check correct variable; unbreak agent keys
OpenBSD-Commit-ID: c36981fdf1f3ce04966d3310826a3e1e6233d93e
commit 2f30300c5e15929d0e34013f38d73e857f445e12
Author: djm at openbsd.org <djm at openbsd.org>
Date: Tue Jul 3 11:42:12 2018 +0000
upstream: crank version number to 7.8; needed for new compat flag
for prior version; part of RSA-SHA2 strictification, ok markus@
OpenBSD-Commit-ID: 84a11fc0efd2674c050712336b5093f5d408e32b
commit 4ba0d54794814ec0de1ec87987d0c3b89379b436
Author: djm at openbsd.org <djm at openbsd.org>
Date: Tue Jul 3 11:39:54 2018 +0000
upstream: Improve strictness and control over RSA-SHA2 signature
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01 at openssh.com" and
"rsa-sha2-512-cert-v01 at openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.
feedback and ok markus@
OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
Summary of changes:
.depend | 4 +-
PROTOCOL.certkeys | 20 +++-
auth2-hostbased.c | 5 +-
auth2-pubkey.c | 13 +-
authfd.c | 24 ++--
compat.c | 28 +++--
compat.h | 4 +-
kex.c | 17 +--
kex.h | 4 +-
myproposal.h | 4 +-
ssh-rsa.c | 60 +++++++---
ssh_config.5 | 13 +-
sshconnect2.c | 348 ++++++++++++++++++++++++++++++++++--------------------
sshd.c | 63 +++++-----
sshd_config.5 | 11 +-
ssherr.c | 4 +-
ssherr.h | 3 +-
sshkey.c | 104 ++++++++++++----
sshkey.h | 5 +-
version.h | 4 +-
20 files changed, 478 insertions(+), 260 deletions(-)
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list