Commit Graph

291 Commits

Author SHA1 Message Date
djm@openbsd.org
86e5737c39 upstream: Add sshd_config CASignatureAlgorithms option to allow
control over which signature algorithms a CA may use when signing
certificates. In particular, this allows a sshd to ban certificates signed
with RSA/SHA1.

ok markus@

OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
2018-09-20 14:00:29 +10:00
Damien Miller
87f08be054 Remove support for S/Key
Most people will 1) be using modern multi-factor authentication methods
like TOTP/OATH etc and 2) be getting support for multi-factor
authentication via PAM or BSD Auth.
2018-07-31 12:59:30 +10:00
djm@openbsd.org
472269f8fe upstream: slightly-clearer description for AuthenticationMethods - the
lists have comma-separated elements; bz#2663 from Hans Meier

OpenBSD-Commit-ID: 931c983d0fde4764d0942fb2c2b5017635993b5a
2018-07-20 15:02:52 +10:00
djm@openbsd.org
312d2f2861 upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA
signature work - returns ability to add/remove/specify algorithms by
wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
2018-07-04 23:51:52 +10:00
djm@openbsd.org
4ba0d54794 upstream: Improve strictness and control over RSA-SHA2 signature
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.

In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.

Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.

Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.

feedback and ok markus@

OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
2018-07-03 23:26:36 +10:00
djm@openbsd.org
95344c2574 upstream: allow sshd_config PermitUserEnvironment to accept a
pattern-list of whitelisted environment variable names in addition to yes|no.

bz#1800, feedback and ok markus@

OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24
2018-07-03 21:01:30 +10:00
jmc@openbsd.org
f535ff922a upstream: spelling;
OpenBSD-Commit-ID: db542918185243bea17202383a581851736553cc
2018-06-26 08:30:43 +10:00
djm@openbsd.org
87ddd676da upstream: allow bare port numbers to appear in PermitListen directives,
e.g.

PermitListen 2222 8080

is equivalent to:

PermitListen *:2222 *:8080

Some bonus manpage improvements, mostly from markus@

"looks fine" markus@

OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
2018-06-19 13:00:50 +10:00
djm@openbsd.org
1678d42364 upstream: slightly better wording re handing of $TERM, from Jakub
Jelen via bz2386

OpenBSD-Commit-ID: 14bea3f069a93c8be66a7b97794255a91fece964
2018-06-11 09:50:06 +10:00
djm@openbsd.org
28013759f0 upstream: add a SetEnv directive for sshd_config to allow an
administrator to explicitly specify environment variables set in sessions
started by sshd. These override the default environment and any variables set
by user configuration (PermitUserEnvironment, etc), but not the SSH_*
variables set by sshd itself.

ok markus@

OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0
2018-06-09 13:11:00 +10:00
djm@openbsd.org
7082bb58a2 upstream: add a SetEnv directive to ssh_config that allows setting
environment variables for the remote session (subject to the server accepting
them)

refactor SendEnv to remove the arbitrary limit of variable names.

ok markus@

OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
2018-06-09 13:11:00 +10:00
jmc@openbsd.org
6ff6fda705 upstream: tweak previous;
OpenBSD-Commit-ID: f98f16af10b28e24bcecb806cb71ea994b648fd6
2018-06-09 13:10:59 +10:00
djm@openbsd.org
04df43208b upstream: man bits for PermitListen
OpenBSD-Commit-ID: 35b200cba4e46a16a4db6a80ef11838ab0fad67c
2018-06-07 04:27:21 +10:00
jmc@openbsd.org
e8d59fef10 upstream: add missing punctuation after %i in ssh_config.5, and
make the grammatical format in sshd_config.5 match that in ssh_config.5;

OpenBSD-Commit-ID: e325663b9342f3d556e223e5306e0d5fa1a74fa0
2018-06-04 14:54:43 +10:00
jmc@openbsd.org
a1f737d6a9 upstream: oops - further adjustment to text neccessary;
OpenBSD-Commit-ID: 23585576c807743112ab956be0fb3c786bdef025
2018-06-04 14:54:43 +10:00
jmc@openbsd.org
2940284934 upstream: %U needs to be escaped; tweak text;
OpenBSD-Commit-ID: 30887b73ece257273fb619ab6f4e86dc92ddc15e
2018-06-04 14:54:43 +10:00
djm@openbsd.org
9c935dd9bf upstream: make UID available as a %-expansion everywhere that the
username is available currently. In the client this is via %i, in the server
%U (since %i was already used in the client in some places for this, but used
for something different in the server); bz#2870, ok dtucker@

OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
2018-06-01 13:35:59 +10:00
jmc@openbsd.org
f41bcd70f5 upstream: correct keyowrd name (permitemptypasswords); from brendan
macdonell

OpenBSD-Commit-ID: ef1bdbc936b2ea693ee37a4c20a94d4d43f5fda3
2018-05-22 10:15:18 +10:00
jmc@openbsd.org
3e36f28185 upstream: tweak previous;
OpenBSD-Commit-ID: 2b9c23022ea7b9dddb62864de4e906000f9d7474
2018-04-10 10:16:36 +10:00
job@openbsd.org
5ee8448ad7 upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for
interactive and CS1 for bulk

AF21 was selected as this is the highest priority within the low-latency
service class (and it is higher than what we have today). SSH is elastic
and time-sensitive data, where a user is waiting for a response via the
network in order to continue with a task at hand. As such, these flows
should be considered foreground traffic, with delays or drops to such
traffic directly impacting user-productivity.

For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable
networks implementing a scavanger/lower-than-best effort class to
discriminate scp(1) below normal activities, such as web surfing. In
general this type of bulk SSH traffic is a background activity.

An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH
is that they are recognisable values on all common platforms (IANA
https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and
for AF21 specifically a definition of the intended behavior exists
https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition
of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and
for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662

The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE
802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate",
or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e,
MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK").

OK deraadt@, "no objection" djm@

OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
2018-04-06 14:20:33 +10:00
djm@openbsd.org
680321f3eb upstream: Mention recent DH KEX methods:
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512

From Jakub Jelen via bz#2826

OpenBSD-Commit-ID: 51bf769f06e55447f4bfa7306949e62d2401907a
2018-02-16 13:42:09 +11:00
djm@openbsd.org
88c50a5ae2 upstream: stop loading DSA keys by default, remove sshd_config
stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@

OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09
2018-02-16 13:35:28 +11:00
djm@openbsd.org
62562ceae6 upstream commit
clarify IgnoreUserKnownHosts; based on github PR from
Christoph Anton Mitterer.

OpenBSD-Commit-ID: 4fff2c17620c342fb2f1f9c2d2e679aab3e589c3
2018-02-10 17:55:31 +11:00
jmc@openbsd.org@openbsd.org
68d3bbb2e6 upstream commit
mark up the rdomain keyword;

OpenBSD-Commit-ID: 1b597d0ad0ad20e94dbd61ca066057e6f6313b8a
2017-10-31 09:08:50 +11:00
jmc@openbsd.org@openbsd.org
7530e77bdc upstream commit
simplify macros in previous, and some minor tweaks;

OpenBSD-Commit-ID: 6efeca3d8b095b76e21b484607d9cc67ac9a11ca
2017-10-31 09:08:50 +11:00
djm@openbsd.org
68af80e6fd upstream commit
add a "rdomain" criteria for the sshd_config Match
keyword to allow conditional configuration that depends on which rdomain(4) a
connection was recevied on. ok markus@

Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb
2017-10-25 12:26:21 +11:00
djm@openbsd.org
35eb33fb95 upstream commit
add sshd_config RDomain keyword to place sshd and the
subsequent user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)

ok markus@

Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
2017-10-25 12:26:13 +11:00
djm@openbsd.org
acf559e1cf upstream commit
Add optional rdomain qualifier to sshd_config's
ListenAddress option to allow listening on a different rdomain(4), e.g.

ListenAddress 0.0.0.0 rdomain 4

Upstream-ID: 24b6622c376feeed9e9be8b9605e593695ac9091
2017-10-25 12:26:06 +11:00
jmc@openbsd.org
071325f458 upstream commit
trim permitrootlogin description somewhat, to avoid
ambiguity; original diff from walter alejandro iglesias, tweaked by sthen and
myself

ok sthen schwarze deraadt

Upstream-ID: 1749418b2bc073f3fdd25fe21f8263c3637fe5d2
2017-10-20 12:01:03 +11:00
benno@openbsd.org
cfa46825b5 upstream commit
clarify the order in which config statements are used. ok
jmc@ djm@

Upstream-ID: e37e27bb6bbac71315e22cb9690fd8a556a501ed
2017-10-20 12:01:03 +11:00
jmc@openbsd.org
5fa1407e16 upstream commit
tweak EposeAuthinfo; diff from lars nooden

tweaked by sthen; ok djm dtucker

Upstream-ID: 8f2ea5d2065184363e8be7a0ba24d98a3b259748
2017-10-01 05:24:18 +11:00
jmc@openbsd.org
ff3c423840 upstream commit
remove blank line;

Upstream-ID: 2f46b51a0ddb3730020791719e94d3e418e9f423
2017-09-04 09:38:57 +10:00
djm@openbsd.org
8042bad97e upstream commit
document available AuthenticationMethods; bz#2453 ok
dtucker@

Upstream-ID: 2c70576f237bb699aff59889dbf2acba4276d3d0
2017-09-04 09:38:57 +10:00
djm@openbsd.org
51676ec614 upstream commit
Allow IPQoS=none in ssh/sshd to not set an explicit
ToS/DSCP value and just use the operating system default; ok dtucker@

Upstream-ID: 77906ff8c7b660b02ba7cb1e47b17d66f54f1f7e
2017-07-24 14:48:47 +10:00
jmc@openbsd.org
1f3d202770 upstream commit
man pages with pseudo synopses which list filenames end
up creating very ugly output in man -k; after some discussion with ingo, we
feel the simplest fix is to remove such SYNOPSIS sections: the info is hardly
helpful at page top, is contained already in FILES, and there are
sufficiently few that just zapping them is simple;

ok schwarze, who also helpfully ran things through a build to check
output;

Upstream-ID: 3e211b99457e2f4c925c5927d608e6f97431336c
2017-07-21 14:17:33 +10:00
djm@openbsd.org
f17ee61cad upstream commit
correct env var name

Upstream-ID: 721e761c2b1d6a4dcf700179f16fd53a1dadb313
2017-06-24 17:28:48 +10:00
jmc@openbsd.org
40962198e3 upstream commit
spelling;

Upstream-ID: 606f933c8e2d0be902ea663946bc15e3eee40b25
2017-06-24 17:28:48 +10:00
djm@openbsd.org
8f57495927 upstream commit
refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
2017-06-24 16:56:11 +10:00
djm@openbsd.org
54cd41a466 upstream commit
allow LogLevel in sshd_config Match blocks; ok dtucker
bz#2717

Upstream-ID: 662e303be63148f47db1aa78ab81c5c2e732baa8
2017-05-17 11:25:22 +10:00
djm@openbsd.org
acaf34fd82 upstream commit
As promised in last release announcement: remove
support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@

Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222
2017-05-08 09:21:00 +10:00
djm@openbsd.org
66705948c0 upstream commit
Mark the sshd_config UsePrivilegeSeparation option as
deprecated, effectively making privsep mandatory in sandboxing mode. ok
markus@ deraadt@

(note: this doesn't remove the !privsep code paths, though that will
happen eventually).

Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
2017-03-15 11:09:18 +11:00
djm@openbsd.org
68bc8cfa76 upstream commit
support =- for removing methods from algorithms lists,
e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
it" markus@

Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
2017-02-04 10:08:15 +11:00
jmc@openbsd.org
a1187bd3ef upstream commit
keep the tokens list sorted;

Upstream-ID: b96239dae4fb3aa94146bb381afabcc7740a1638
2017-01-30 11:05:18 +11:00
dtucker@openbsd.org
0999533014 upstream commit
Re-add '%k' token for AuthorizedKeysCommand which was
lost during the re-org in rev 1.235.  bz#2656, from jboning at gmail.com.

Upstream-ID: 2884e203c02764d7b3fe7472710d9c24bdc73e38
2017-01-30 11:05:18 +11:00
djm@openbsd.org
7844f357cd upstream commit
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.

This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@

Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
2016-11-30 19:44:01 +11:00
markus@openbsd.org
f0ddedee46 upstream commit
allow ClientAlive{Interval,CountMax} in Match; ok dtucker,
djm

Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55
2016-11-24 16:07:26 +11:00
jmc@openbsd.org
aae4dbd4c0 upstream commit
tidy up the formatting in this file. more specifically,
replace .Dq, which looks appalling, with .Cm, where appropriate;

Upstream-ID: ff8e90aa0343d9bb56f40a535e148607973cc738
2016-10-10 14:27:12 +11:00
djm@openbsd.org
4577adead6 upstream commit
restore pre-auth compression support in the client -- the
previous commit was intended to remove it from the server only.

remove a few server-side pre-auth compression bits that escaped

adjust wording of Compression directive in sshd_config(5)

pointed out by naddy@ ok markus@

Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
2016-09-29 06:54:50 +10:00
jmc@openbsd.org
de6a175a99 upstream commit
organise the token stuff into a separate section; ok
markus for an earlier version of the diff ok/tweaks djm

Upstream-ID: 81a6daa506a4a5af985fce7cf9e59699156527c8
2016-09-24 05:39:37 +10:00
djm@openbsd.org
16277fc45f upstream commit
mention curve25519-sha256 KEX

Upstream-ID: 33ae1f433ce4795ffa6203761fbdf86e0d7ffbaf
2016-09-24 05:39:37 +10:00