Commit Graph

243 Commits

Author SHA1 Message Date
djm@openbsd.org
073f45c236 upstream: Explicitly check for and start time-based rekeying in the
client and server mainloops.

Previously the rekey timeout could expire but rekeying would not start
until a packet was sent or received. This could cause us to spin in
select() on the rekey timeout if the connection was quiet.

ok markus@

OpenBSD-Commit-ID: 4356cf50d7900f3df0a8f2117d9e07c91b9ff987
2021-07-16 19:21:04 +10:00
dtucker@openbsd.org
4bdf7a0479 upstream: Replace SIGCHLD/notify_pipe kludge with pselect.
Previously sshd's SIGCHLD handler would wake up select() by writing a
byte to notify_pipe.  We can remove this by blocking SIGCHLD, checking
for child terminations then passing the original signal mask through
to pselect.  This ensures that the pselect will immediately wake up if
a child terminates between wait()ing on them and the pselect.

In -portable, for platforms that do not have pselect the kludge is still
there but is hidden behind a pselect interface.

Based on other changes for bz#2158, ok djm@

OpenBSD-Commit-ID: 202c85de0b3bdf1744fe53529a05404c5480d813
2021-06-25 15:14:58 +10:00
Damien Miller
2dc328023f sshd don't exit on transient read errors
openssh-8.5 introduced a regression that would cause sshd to exit
because of transient read errors on the network socket (e.g. EINTR,
EAGAIN). Reported by balu.gajjala AT gmail.com via bz3297
2021-04-14 11:42:55 +10:00
djm@openbsd.org
31d8d231eb upstream: highly polished whitespace, mostly fixing spaces-for-tab
and bad indentation on continuation lines. Prompted by GHPR#185

OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
2021-04-03 17:23:02 +11:00
djm@openbsd.org
39be3dc209 upstream: make ssh->kex->session_id a sshbuf instead of u_char*/size_t
and use that instead of global variables containing copies of it. feedback/ok
markus@

OpenBSD-Commit-ID: a4b1b1ca4afd2e37cb9f64f737b30a6a7f96af68
2021-01-27 21:10:57 +11:00
djm@openbsd.org
816036f142 upstream: use the new variant log macros instead of prepending
__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
2020-10-18 23:46:29 +11:00
djm@openbsd.org
183c4aaef9 upstream: start ClientAliveInterval bookkeeping before first pass
through select() loop; fixed theoretical case where busy sshd may ignore
timeouts from client; inspired by and ok dtucker

OpenBSD-Commit-ID: 96bfc4b1f86c7da313882a84755b2b47eb31957f
2020-07-03 17:03:53 +10:00
djm@openbsd.org
afeb6a960d upstream: use sshpkt_fatal() instead of plain fatal() for
ssh_packet_write_poll() failures here too as the former yields better error
messages; ok dtucker@

OpenBSD-Commit-ID: 1f7a6ca95bc2b716c2e948fc1370753be772d8e3
2020-01-30 18:22:34 +11:00
djm@openbsd.org
69334996ae upstream: make sshd_config:ClientAliveCountMax=0 disable the
connection killing behaviour, rather than killing the connection after
sending the first liveness test probe (regardless of whether the client was
responsive) bz2627; ok markus

OpenBSD-Commit-ID: 5af79c35f4c9fa280643b6852f524bfcd9bccdaf
2020-01-26 10:15:13 +11:00
djm@openbsd.org
0ecd20bc9f upstream: unrevert this:
> revision 1.217
> date: 2019/11/27 03:34:04;  author: dtucker;  state: Exp;  lines: +5 -7;  commitid: wkiMn49XJyjzoJIs;
> Make channel_id u_int32_t and remove unnecessary check and cast that were
> left over from the type conversion.  Noted by t-hashida@amiya.co.jp in
> bz#3098, ok markus@ djm@

Darren was right the first time; ok dtucker@ "agreed" markus@

OpenBSD-Commit-ID: 641dd1b99a6bbd85b7160da462ae1be83432c7c8
2020-01-25 15:51:20 +11:00
dtucker@openbsd.org
3bf2a6ac79 upstream: Replace all calls to signal(2) with a wrapper around
sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which should reduce
the potential for short read/write operations.

OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
2020-01-23 18:51:25 +11:00
dtucker@openbsd.org
6e1d1bbf5a upstream: Revert previous commit. The channels code still uses int
in many places for channel ids so the INT_MAX check still makes sense.

OpenBSD-Commit-ID: 532e4b644791b826956c3c61d6ac6da39bac84bf
2019-11-28 09:38:11 +11:00
dtucker@openbsd.org
70ec5e5e26 upstream: Make channel_id u_int32_t and remove unnecessary check
and cast that were left over from the type conversion.  Noted by
t-hashida@amiya.co.jp in bz#3098, ok markus@ djm@

OpenBSD-Commit-ID: 3ad105b6a905284e780b1fd7ff118e1c346e90b5
2019-11-27 16:02:46 +11:00
deraadt@openbsd.org
4d28fa78ab upstream: When system calls indicate an error they return -1, not
some arbitrary value < 0.  errno is only updated in this case.  Change all
(most?) callers of syscalls to follow this better, and let's see if this
strictness helps us in the future.

OpenBSD-Commit-ID: 48081f00db7518e3b712a49dca06efc2a5428075
2019-07-05 11:10:39 +10:00
djm@openbsd.org
21da87f439 upstream: fix interaction between ClientAliveInterval and RekeyLimit
that could cause connection to close incorrectly; Report and patch from Jakub
Jelen in bz#2757; ok dtucker@ markus@

OpenBSD-Commit-ID: 17229a8a65bd8e6c2080318ec2b7a61e1aede3fb
2019-03-27 20:30:58 +11:00
dtucker@openbsd.org
ab5fee8eb6 upstream: Reset last-seen time when sending a keepalive. Prevents
sending two keepalives successively and prematurely terminating connection
when ClientAliveCount=1.  While there, collapse two similar tests into one.
ok markus@

OpenBSD-Commit-ID: 043670d201dfe222537a2a4bed16ce1087de5ddd
2019-03-08 14:58:30 +11:00
djm@openbsd.org
135e302cfd upstream: fix error in refactor: use ssh_packet_disconnect() instead of
sshpkt_error(). The first one logs the error and exits (what we want) instead
of just logging and blundering on.

OpenBSD-Commit-ID: 39f51b43641dce9ce0f408ea6c0e6e077e2e91ae
2019-01-20 09:45:18 +11:00
djm@openbsd.org
04c091fc19 upstream: remove last references to active_state
with & ok markus@

OpenBSD-Commit-ID: 78619a50ea7e4ca2f3b54d4658b3227277490ba2
2019-01-20 09:45:18 +11:00
djm@openbsd.org
7ec5cb4d15 upstream: convert serverloop.c to new packet API
with & ok markus@

OpenBSD-Commit-ID: c92dd19b55457541478f95c0d6b318426d86d885
2019-01-20 09:45:17 +11:00
djm@openbsd.org
0fa174ebe1 upstream: begin landing remaining refactoring of packet parsing
API, started almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

OpenBSD-Commit-ID: 93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4
2019-01-20 09:02:10 +11:00
dtucker@openbsd.org
73ddb25bae upstream: Remove uid checks from low port binds. Now that ssh
cannot be setuid and sshd always has privsep on, we can remove the uid checks
for low port binds and just let the system do the check. We leave a sanity
check for the !privsep case so long as the code is stil there.  with & ok
djm@

OpenBSD-Commit-ID: 9535cfdbd1cd54486fdbedfaee44ce4367ec7ca0
2018-07-31 12:18:49 +10:00
markus@openbsd.org
5467fbcb09 upstream: remove legacy key emulation layer; ok djm@
OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d
2018-07-12 13:18:25 +10:00
markus@openbsd.org
c3cb7790e9 upstream: sshd: switch config to sshbuf API; ok djm@
OpenBSD-Commit-ID: 72b02017bac7feac48c9dceff8355056bea300bd
2018-07-10 15:25:25 +10:00
djm@openbsd.org
027607fc2d upstream: fix some over-long lines and __func__ up some debug
messages

OpenBSD-Commit-ID: c70a60b4c8207d9f242fc2351941ba50916bb267
2018-06-09 13:10:59 +10:00
djm@openbsd.org
7c85685760 upstream: switch over to the new authorized_keys options API and
remove the legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
2018-03-03 14:37:16 +11:00
Darren Tucker
389125b25d Replace remaining mysignal() with signal().
These seem to have been missed during the replacement of mysignal
with #define signal in commit 5ade9ab.  Both include the requisite
headers to pick up the #define.
2018-02-15 22:06:26 +11:00
dtucker@openbsd.org
05046d907c upstream Don't reset signal handlers inside handlers.
The signal handlers from the original ssh1 code on which OpenSSH
is based assume unreliable signals and reinstall their handlers.
Since OpenBSD (and pretty much every current system) has reliable
signals this is not needed.  In the unlikely even that -portable
is still being used on such systems we will deal with it in the
compat layer.  ok deraadt@

OpenBSD-Commit-ID: f53a1015cb6908431b92116130d285d71589612c
2018-02-13 09:29:09 +11:00
Darren Tucker
3c51143c63 Whitespace sync with upstream. 2018-02-13 09:07:29 +11:00
djm@openbsd.org
14b5c635d1 upstream commit
Drop compatibility hacks for some ancient SSH
implementations, including ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

OpenBSD-Commit-ID: 4be81c67db57647f907f4e881fb9341448606138
2018-01-23 16:40:29 +11:00
djm@openbsd.org
7860731ef1 upstream commit
unbreak hostkey rotation; attempting to sign with a
desired signature algorithm of kex->hostkey_alg is incorrect when the key
type isn't capable of making those signatures. ok markus@

OpenBSD-Commit-ID: 35ae46864e1f5859831ec0d115ee5ea50953a906
2017-12-19 15:21:37 +11:00
djm@openbsd.org
04c7e28f83 upstream commit
pass negotiated signing algorithm though to
sshkey_verify() and check that the negotiated algorithm matches the type in
the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@

OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9
2017-12-19 15:21:37 +11:00
dtucker@openbsd.org
48c23a39a8 upstream commit
Put remote client info back into the ClientAlive
connection termination message.  Based in part on diff from  lars.nooden at
gmail, ok djm

OpenBSD-Commit-ID: 80a0f619a29bbf2f32eb5297a69978a0e05d0ee0
2017-12-12 10:32:04 +11:00
djm@openbsd.org
b7548b12a6 upstream commit
Expose devices allocated for tun/tap forwarding.

At the client, the device may be obtained from a new %T expansion
for LocalCommand.

At the server, the allocated devices will be listed in a
SSH_TUNNEL variable exposed to the environment of any user sessions
started after the tunnel forwarding was established.

ok markus

Upstream-ID: e61e53f8ae80566e9ddc0d67a5df5bdf2f3c9f9e
2017-10-23 16:14:30 +11:00
Damien Miller
871f1e4374 adapt portable to channels API changes 2017-09-12 18:01:35 +10:00
djm@openbsd.org
9f53229c2a upstream commit
Make remote channel ID a u_int

Previously we tracked the remote channel IDs in an int, but this is
strictly incorrect: the wire protocol uses uint32 and there is nothing
in-principle stopping a SSH implementation from sending, say, 0xffff0000.

In practice everyone numbers their channels sequentially, so this has
never been a problem.

ok markus@

Upstream-ID: b9f4cd3dc53155b4a5c995c0adba7da760d03e73
2017-09-12 17:37:03 +10:00
djm@openbsd.org
dbee4119b5 upstream commit
refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
2017-09-12 17:37:02 +10:00
djm@openbsd.org
71e5a536ec upstream commit
pass packet state down to some of the channels function
(more to come...); ok markus@

Upstream-ID: d8ce7a94f4059d7ac1e01fb0eb01de0c4b36c81b
2017-09-04 09:38:57 +10:00
dtucker@openbsd.org
42a8f8bc28 upstream commit
Tweak previous keepalive commit: if last_time + keepalive
<= now instead of just "<" so client_alive_check will fire if the select
happens to return on exact second of the timeout.  ok djm@

Upstream-ID: e02756bd6038d11bb8522bfd75a4761c3a684fcc
2017-08-12 16:47:10 +10:00
dtucker@openbsd.org
b60ff20051 upstream commit
Keep track of the last time we actually heard from the
client and use this to also schedule a client_alive_check().  Prevents
activity on a forwarded port from indefinitely preventing the select timeout
so that client_alive_check() will eventually (although not optimally) be
called.

Analysis by willchan at google com via bz#2756, feedback & ok djm@

Upstream-ID: c08721e0bbda55c6d18e2760f3fe1b17fb71169e
2017-08-12 16:47:10 +10:00
markus@openbsd.org
92e9fe6331 upstream commit
remove now obsolete ctx from ssh_dispatch_run; ok djm@

Upstream-ID: 9870aabf7f4d71660c31fda91b942b19a8e68d29
2017-06-01 14:53:33 +10:00
markus@openbsd.org
2ae666a8fc upstream commit
protocol handlers all get struct ssh passed; ok djm@

Upstream-ID: 0ca9ea2a5d01a6d2ded94c5024456a930c5bfb5d
2017-05-31 10:50:05 +10:00
dtucker@openbsd.org
858252fb1d upstream commit
Return true reason for port forwarding failures where
feasible rather than always "administratively prohibited".  bz#2674, ok djm@

Upstream-ID: d901d9887951774e604ca970e1827afaaef9e419
2017-02-03 14:23:24 +11:00
djm@openbsd.org
51045869fa upstream commit
unbreak Unix domain socket forwarding for root; ok
markus@

Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
2017-01-30 11:05:18 +11:00
djm@openbsd.org
b737e4d743 upstream commit
disable Unix-domain socket forwarding when privsep is
disabled

Upstream-ID: ab61516ae0faadad407857808517efa900a0d6d0
2016-12-14 11:51:52 +11:00
djm@openbsd.org
7844f357cd upstream commit
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.

This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@

Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
2016-11-30 19:44:01 +11:00
dtucker@openbsd.org
1c4ef0b808 upstream commit
Factor out "can bind to low ports" check into its own function.  This will
make it easier for Portable to support platforms with permissions models
other than uid==0 (eg bz#2625).  ok djm@, "doesn't offend me too much"
deraadt@.

Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface
2016-10-24 10:42:57 +11:00
deraadt@openbsd.org
9136ec134c upstream commit
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then
use those definitions rather than pulling <sys/param.h> and unknown namespace
pollution. ok djm markus dtucker

Upstream-ID: 712cafa816c9f012a61628b66b9fbd5687223fb8
2016-09-12 13:46:29 +10:00
markus@openbsd.org
6cb6dcffe1 upstream commit
remove ssh1 server code; ok djm@

Upstream-ID: c24c0c32c49b91740d5a94ae914fb1898ea5f534
2016-08-14 11:19:14 +10:00
Darren Tucker
5f41f030e2 Remove NO_IPPORT_RESERVED_CONCEPT
Replace by defining IPPORT_RESERVED to zero on Cygwin, which should have
the same effect without causing problems syncing patches with OpenBSD.
Resync the two affected functions with OpenBSD.  ok djm, sanity checked
by Corinna.
2016-04-08 21:21:27 +10:00
djm@openbsd.org
95767262ca upstream commit
refactor canohost.c: move functions that cache results closer
 to the places that use them (authn and session code). After this, no state is
 cached in canohost.c

feedback and ok markus@

Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
2016-03-08 06:20:35 +11:00