| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2017-02-15 | Introduce extra delay before closing unauthenticated sessions | Thomas De Schampheleire | |
| To make it harder for attackers, introduce a delay to keep an unauthenticated session open a bit longer, thus blocking a connection slot until after the delay. Without this, while there is a limit on the amount of attempts an attacker can make at the same time (MAX_UNAUTH_PER_IP), the time taken by dropbear to handle one attempt is still short and thus for each of the allowed parallel attempts many attempts can be chained one after the other. The attempt rate is then: "MAX_UNAUTH_PER_IP / <process time of one attempt>". With the delay, this rate becomes: "MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY". | |||
| 2020-12-03 | fuzz: make postauth set authdone properly | Matt Johnston | |
| 2020-05-24 | send and handle SSH_MSG_EXT_INFO only at the correct point | Matt Johnston | |
| - other fixes for rsa pubkey auth - only include ext-info handling when rsa pubkey auth is compiled | |||
| 2020-05-19 | ext-info handling for server-sig-algs | Matt Johnston | |
| only client side is handled | |||
| 2020-03-18 | Handle early exit when addrstring isn't set | Matt Johnston | |
| 2020-03-18 | Improve address logging on early exit messages (#83) | Kevin Darbyshire-Bryant | |
| Change 'Early exit' and 'Exit before auth' messages to include the IP address & port as part of the message. This allows log scanning utilities such as 'fail2ban' to obtain the offending IP address as part of the failure event instead of extracting the PID from the message and then scanning the log again for match 'child connection from' messages Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> | |||
| 2019-05-15 | Rename EPKA -> Plugin | Matt Johnston | |
| 2019-05-15 | External Public-Key Authentication API (#72) | fabriziobertocci | |
| * Implemented dynamic loading of an external plug-in shared library to delegate public key authentication * Moved conditional compilation of the plugin infrastructure into the configure.ac script to be able to add -ldl to dropbear build only when the flag is enabled * Added tags file to the ignore list * Updated API to have the constructor to return function pointers in the pliugin instance. Added support for passing user name to the checkpubkey function. Added options to the session returned by the plugin and have dropbear to parse and process them * Added -rdynamic to the linker flags when EPKA is enabled * Changed the API to pass a previously created session to the checkPubKey function (created during preauth) * Added documentation to the API * Added parameter addrstring to plugin creation function * Modified the API to retrieve the auth options. Instead of having them as field of the EPKASession struct, they are stored internally (plugin-dependent) in the plugin/session and retrieved through a pointer to a function (in the session) * Changed option string to be a simple char * instead of unsigned char * | |||
| 2018-02-28 | Fix to be able to compile normal(ish) binaries with --enable-fuzz | Matt Johnston | |
| --HG-- branch : fuzz | |||
| 2018-02-28 | - #if not #ifdef for DROPBEAR_FUZZ | Matt Johnston | |
| - fix some unused variables --HG-- branch : fuzz | |||
| 2018-02-26 | merge from main | Matt Johnston | |
| --HG-- branch : fuzz | |||
| 2018-02-26 | make group1 client-only | Matt Johnston | |
| 2018-02-17 | merge from main | Matt Johnston | |
| --HG-- branch : fuzz | |||
| 2018-02-14 | make signal flags volatile, simplify handling | Matt Johnston | |
| 2017-06-14 | merge from main | Matt Johnston | |
| --HG-- branch : fuzz | |||
| 2017-06-01 | Add a flag whether to longjmp, missed that last commit | Matt Johnston | |
| --HG-- branch : fuzz | |||
| 2017-06-02 | when pointer, use NULL instead of 0 | Francois Perrad | |
| 2017-05-20 | glaring wrapfd problems fixed | Matt Johnston | |
| --HG-- branch : fuzz | |||
| 2017-05-18 | merge main to fuzz | Matt Johnston | |
| --HG-- branch : fuzz | |||
| 2017-05-13 | fuzz harness | Matt Johnston | |
| --HG-- branch : fuzz | |||
| 2017-05-12 | copy over some fuzzing code from AFL branch | Matt Johnston | |
| --HG-- branch : fuzz | |||
| 2016-07-21 | merge 2016.74 | Matt Johnston | |
| 2016-05-04 | Convert #ifdef to #if, other build changes | Matt Johnston | |
| 2016-07-11 | Improve exit message formatting | Matt Johnston | |
| 2016-03-16 | fix empty C prototypes | Francois Perrad | |
| 2016-01-05 | Fix print format specifier | Chocobo1 | |
| 2015-12-15 | A few minor style fixes | Matt Johnston | |
| 2015-12-15 | Moved usingsyslog from svr_runopts to runopts. | Konstantin Tokarev | |
| 2015-08-03 | Fix problem where auth timeout wasn't checked when waiting for ident | Matt Johnston | |
| 2015-05-03 | Make sure kexfirstinitialise is called early enough | Matt Johnston | |
| 2015-02-24 | Some additional cleanup functions | Matt Johnston | |
| 2015-02-24 | Free memory before exiting. Based on patch from Thorsten Horstmann. | Matt Johnston | |
| Client side is not complete. | |||
| 2014-08-19 | Make keepalive handling more robust, this should now match what OpenSSH does | Matt Johnston | |
| 2014-08-13 | Don't send SSH_MSG_UNIMPLEMENTED for keepalive responses | Matt Johnston | |
| 2014-07-09 | Fix auth timeout regression | Matt Johnston | |
| 2014-07-09 | Make -K keepalive behave like OpenSSH's ServerAliveInterval | Matt Johnston | |
| 2014-03-13 | Add new monotonic_now() wrapper so that timeouts are unaffected by | Matt Johnston | |
| system clock changes | |||
| 2013-12-03 | Fix disabling DSS key | Matt Johnston | |
| 2013-11-14 | rename random.h to dbrandom.h since some OSes have a system random.h | Matt Johnston | |
| --HG-- rename : random.c => dbrandom.c rename : random.h => dbrandom.h | |||
| 2013-05-21 | merge in HEAD | Matt Johnston | |
| --HG-- branch : ecc | |||
| 2013-05-03 | ecdsa is working | Matt Johnston | |
| --HG-- branch : ecc | |||
| 2013-04-09 | start on ecdsa keys | Matt Johnston | |
| --HG-- branch : ecc | |||
| 2013-04-03 | merge kexguess branch | Matt Johnston | |
| 2013-04-01 | Run the cleanup handler also when we close due to TCP connection being closed | Matt Johnston | |
| 2013-03-31 | merge | Matt Johnston | |
| --HG-- branch : kexguess | |||
| 2013-03-31 | send out our kexinit packet before blocking to read the SSH version string | Matt Johnston | |
| 2013-03-30 | Get rid of client/server specific buf_match_algo, use single | Matt Johnston | |
| function with a couple of if statements instead --HG-- branch : kexguess | |||
| 2012-06-29 | Improve RNG seeding. | Matt Johnston | |
| Try to read from /dev/urandom multiple times, take input from extra sources, and use /dev/random when generating private keys | |||
| 2012-05-09 | - Don't sent SSH_MSG_UNIMPLEMENTED if we don't have ENABLE_SVR_REMOTETCPFWD | Matt Johnston | |
| - Fix build if ENABLE_SVR_REMOTETCPFWD is disabled but ENABLE_SVR_LOCALTCPFWD is enabled | |||
| 2012-04-09 | Rename HAVE_FORK to USE_VFORK | Matt Johnston | |
| It makes it a bit more obvious why there's a test there since HAVE_FORK is the normal case. | |||
 |
index : dropbear | |
| Smallish SSH server and client |
| summaryrefslogtreecommitdiffhomepage |
path: root/svr-session.c