* Implement server-side support for sk-ecdsa U2F-backed keys
* Fix out-of-bounds read on normal ecdsa-sha2-[identifier] keys
* Fix one more potential out-of-bounds read
* Check if nistp256 curve is used in sk-ecdsa-sha2- key
It's the only allowed curve per PROTOCOL.u2f specification
* Implement server-side support for sk-ed25519 FIDO2-backed keys
* Keys with type sk-* make no sense as host keys, so they should be
disabled
* fix typo
* Make sk-ecdsa call buf_ecdsa_verify
This reduces code duplication, the SK code just handles the
different message format.
* Reduce sk specific code
The application id can be stored in signkey, then we don't need
to call sk-specific functions from svr-authpubkey
* Remove debugging output, which causes compilation errors with DEBUG_TRACE disabled
* Proper cleanup of sk_app
Co-authored-by: Matt Johnston <matt@codeconstruct.com.au>
* Implement server-side support for sk-ecdsa U2F-backed keys
* Fix out-of-bounds read on normal ecdsa-sha2-[identifier] keys
* Fix one more potential out-of-bounds read
* Check if nistp256 curve is used in sk-ecdsa-sha2- key
It's the only allowed curve per PROTOCOL.u2f specification
* Implement server-side support for sk-ed25519 FIDO2-backed keys
* Keys with type sk-* make no sense as host keys, so they should be
disabled
* fix typo
* Make sk-ecdsa call buf_ecdsa_verify
This reduces code duplication, the SK code just handles the
different message format.
* Reduce sk specific code
The application id can be stored in signkey, then we don't need
to call sk-specific functions from svr-authpubkey
* Remove debugging output, which causes compilation errors with DEBUG_TRACE disabled
* Proper cleanup of sk_app
Co-authored-by: Matt Johnston <matt@codeconstruct.com.au>
Currently dbclient uses the value of HOME by default when looking for
~/.ssh/known_hosts, falling back to /etc/passwd if HOME is not set (so
that people can work around broken values in /etc/passwd).
However, when locating the default authentication key (defaults to
~/.ssh/id_dropbear), paths not starting with / are always prefixed with
the value from /etc/passwd.
Make the behaviour consistent by adjusting expand_homedir_path to use
the value of HOME, falling back to /etc/passwd if HOME is not set.
This handles the case where a svrchansess has separate FDs
for nopty, but a single FD for pty mode.
The use of sepfds was also previously incorrect for X11 and
agent forwarding
Remove the "!!" chars from message when printing the key-fingerprint, as it's
confusing users. They have been added when switching from MD5, but SHA1 can be
considered as standard today.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
tcpip-forward request can include hostname, which is later resolved by getaddrinfo() call.
Dropbear incorrectly assumes tcpip-forward includes only IP(v4) address. Fix this.
