Commit Graph

215 Commits

Author SHA1 Message Date
djm@openbsd.org
a34e14a5a0 upstream: move subprocess() from auth.c to misc.c
make privilege dropping optional but allow it via callbacks (to avoid
need to link uidswap.c everywhere)

add some other flags (keep environment, disable strict path safety check)
that make this more useful for client-side use.

feedback & ok markus@

OpenBSD-Commit-ID: a80ea9fdcc156f1a18e9c166122c759fae1637bf
2020-12-22 15:43:59 +11:00
djm@openbsd.org
b4c7cd1185 upstream: load_hostkeys()/hostkeys_foreach() variants for FILE*
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a
FILE* argument instead of opening the file directly.

Original load_hostkeys() and hostkeys_foreach() are implemented using
these new interfaces.

Add a u_int note field to the hostkey_entry and hostkey_foreach_line
structs that is passed directly from the load_hostkeys() and
hostkeys_foreach() call. This is a lightweight way to annotate results
between different invocations of load_hostkeys().

ok markus@

OpenBSD-Commit-ID: 6ff6db13ec9ee4edfa658b2c38baad0f505d8c20
2020-12-21 10:52:28 +11:00
djm@openbsd.org
816036f142 upstream: use the new variant log macros instead of prepending
__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
2020-10-18 23:46:29 +11:00
djm@openbsd.org
793b583d09 upstream: LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern-
lists.

ok markus@

OpenBSD-Commit-ID: c294c25732d1b4fe7e345cb3e044df00531a6356
2020-10-17 00:43:17 +11:00
djm@openbsd.org
801c9f095e upstream: support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.

feedback and ok markus@

OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
2020-08-27 11:28:36 +10:00
djm@openbsd.org
c2bd7f74b0 upstream: Add a sshd_config "Include" directive to allow inclusion
of files. This has sensible semantics wrt Match blocks and accepts glob(3)
patterns to specify the included files. Based on patch by Jakub Jelen in
bz2468; feedback and ok markus@

OpenBSD-Commit-ID: 36ed0e845b872e33f03355b936a4fff02d5794ff
2020-02-01 10:20:24 +11:00
dtucker@openbsd.org
3bf2a6ac79 upstream: Replace all calls to signal(2) with a wrapper around
sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which should reduce
the potential for short read/write operations.

OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
2020-01-23 18:51:25 +11:00
tobhe@openbsd.org
f65cf1163f upstream: strdup may return NULL if memory allocation fails. Use
the safer xstrdup which fatals on allocation failures.

ok markus@

OpenBSD-Commit-ID: 8b608d387120630753cbcb8110e0b019c0c9a0d0
2019-12-20 14:25:08 +11:00
djm@openbsd.org
2e71263b80 upstream: add a "no-touch-required" option for authorized_keys and
a similar extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched their
key to authorize them.

feedback deraadt, ok markus

OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
2019-11-25 12:23:40 +11:00
djm@openbsd.org
76ed219949 upstream: potential NULL dereference for revoked hostkeys; reported
by krishnaiah bommu

OpenBSD-Commit-ID: 35ff685e7cc9dd2e3fe2e3dfcdcb9bc5c79f6506
2019-10-16 17:08:38 +11:00
djm@openbsd.org
d0c3ac427f upstream: remove some duplicate #includes
OpenBSD-Commit-ID: ed6827ab921eff8027669848ef4f70dc1da4098c
2019-10-02 10:43:47 +10:00
djm@openbsd.org
be02d7cbde upstream: lots of things were relying on libcrypto headers to
transitively include various system headers (mostly stdlib.h); include them
explicitly

OpenBSD-Commit-ID: 5b522f4f2d844f78bf1cc4f3f4cc392e177b2080
2019-09-06 17:54:21 +10:00
deraadt@openbsd.org
4d28fa78ab upstream: When system calls indicate an error they return -1, not
some arbitrary value < 0.  errno is only updated in this case.  Change all
(most?) callers of syscalls to follow this better, and let's see if this
strictness helps us in the future.

OpenBSD-Commit-ID: 48081f00db7518e3b712a49dca06efc2a5428075
2019-07-05 11:10:39 +10:00
Darren Tucker
79a87d3278 Remove "struct ssh" from sys_auth_record_login.
It's not needed, and is not available from the call site in loginrec.c
Should only affect AIX, spotted by Kevin Brott.
2019-04-03 06:27:45 +11:00
Corinna Vinschen
f02afa350a Revert "[auth.c] On Cygwin, refuse usernames that have differences in case"
This reverts commit acc9b29486.

Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
2019-02-22 15:04:16 +11:00
Damien Miller
9b655dc9c9 last bits of old packet API / active_state global 2019-01-20 14:55:27 +11:00
Damien Miller
08f66d9f17 remove vestiges of old packet API from loginrec.c 2019-01-20 09:58:45 +11:00
djm@openbsd.org
3a00a92159 upstream: convert auth.c to new packet API
with & ok markus@

OpenBSD-Commit-ID: 7e10359f614ff522b52a3f05eec576257794e8e4
2019-01-20 09:45:17 +11:00
djm@openbsd.org
172a592a53 upstream: convert servconf.c to new packet API
with & ok markus@

OpenBSD-Commit-ID: 126553aecca302c9e02fd77e333b9cb217e623b4
2019-01-20 09:02:44 +11:00
djm@openbsd.org
0fa174ebe1 upstream: begin landing remaining refactoring of packet parsing
API, started almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

OpenBSD-Commit-ID: 93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4
2019-01-20 09:02:10 +11:00
djm@openbsd.org
943d096526 upstream: include time.h for time(3)/nanosleep(2); from Ian
McKellar

OpenBSD-Commit-ID: 6412ccd06a88f65b207a1089345f51fa1244ea51
2019-01-17 15:47:24 +11:00
Kevin Adler
a784fa8c7a Don't pass loginmsg by address now that it's an sshbuf*
In 120a1ec74, loginmsg was changed from the legacy Buffer type
to struct sshbuf*, but it missed changing calls to
sys_auth_allowed_user and sys_auth_record_login which passed
loginmsg by address. Now that it's a pointer, just pass it directly.

This only affects AIX, unless there are out of tree users.
2018-12-13 16:31:36 +11:00
djm@openbsd.org
2a35862e66 upstream: use path_absolute() for pathname checks; from Manoj Ampalam
OpenBSD-Commit-ID: 482ce71a5ea5c5f3bc4d00fd719481a6a584d925
2018-11-16 14:37:33 +11:00
djm@openbsd.org
50e2687ee0 upstream: log certificate fingerprint in authentication
success/failure message (previously we logged only key ID and CA key
fingerprint).

ok markus@

OpenBSD-Commit-ID: a8ef2d172b7f1ddbcce26d6434b2de6d94f6c05d
2018-09-12 16:48:18 +10:00
martijn@openbsd.org
5dc4c59d54 upstream: s/wuth/with/ in comment
OpenBSD-Commit-ID: 9de41468afd75f54a7f47809d2ad664aa577902c
2018-07-12 11:47:57 +10:00
Damien Miller
120a1ec74e Adapt portable to legacy buffer API removal 2018-07-10 19:39:52 +10:00
markus@openbsd.org
c7d39ac8dc upstream: sshd: switch authentication to sshbuf API; ok djm@
OpenBSD-Commit-ID: 880aa06bce4b140781e836bb56bec34873290641
2018-07-10 15:27:43 +10:00
djm@openbsd.org
93c06ab6b7 upstream: permitlisten option for authorized_keys; ok markus@
OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672
2018-06-07 04:27:20 +10:00
djm@openbsd.org
9c935dd9bf upstream: make UID available as a %-expansion everywhere that the
username is available currently. In the client this is via %i, in the server
%U (since %i was already used in the client in some places for this, but used
for something different in the server); bz#2870, ok dtucker@

OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
2018-06-01 13:35:59 +10:00
djm@openbsd.org
fbb4b5fd4f upstream: Do not ban PTY allocation when a sshd session is restricted
because the user password is expired as it breaks password change dialog.

regression in openssh-7.7 reported by Daniel Wagner

OpenBSD-Commit-ID: 9fc09c584c6f1964b00595e3abe7f83db4d90d73
2018-05-25 17:12:04 +10:00
djm@openbsd.org
bf0fbf2b11 upstream: add valid-before="[time]" authorized_keys option. A
simple way of giving a key an expiry date. ok markus@

OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
2018-03-14 18:55:32 +11:00
djm@openbsd.org
7c85685760 upstream: switch over to the new authorized_keys options API and
remove the legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
2018-03-03 14:37:16 +11:00
markus@openbsd.org
25cf9105b8 upstream commit
move subprocess() so scp/sftp do not need uidswap.o; ok
djm@

OpenBSD-Commit-ID: 6601b8360388542c2e5fef0f4085f8e54750bea8
2018-01-23 16:32:57 +11:00
djm@openbsd.org
dbee4119b5 upstream commit
refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
2017-09-12 17:37:02 +10:00
djm@openbsd.org
de4ae07f12 upstream commit
Move several subprocess-related functions from various
locations to misc.c. Extend subprocess() to offer a little more control over
stdio disposition.

feedback & ok dtucker@

Upstream-ID: 3573dd7109d13ef9bd3bed93a3deb170fbfce049
2017-08-23 19:47:06 +10:00
djm@openbsd.org
8f57495927 upstream commit
refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
2017-06-24 16:56:11 +10:00
markus@openbsd.org
54d90ace1d upstream commit
switch from Key typedef with struct sshkey; ok djm@

Upstream-ID: 3067d33e04efbe5131ce8f70668c47a58e5b7a1f
2017-05-31 10:47:31 +10:00
djm@openbsd.org
54cd41a466 upstream commit
allow LogLevel in sshd_config Match blocks; ok dtucker
bz#2717

Upstream-ID: 662e303be63148f47db1aa78ab81c5c2e732baa8
2017-05-17 11:25:22 +10:00
dtucker@openbsd.org
fe06b68f82 upstream commit
Add missing braces in DenyUsers code.  Patch from zev at
bewilderbeest.net, ok deraadt@

Upstream-ID: d747ace338dcf943b077925f90f85f789714b54e
2016-12-16 13:12:18 +11:00
djm@openbsd.org
1a6f9d2e24 upstream commit
unbreak DenyUsers; reported by henning@

Upstream-ID: 1c67d4148f5e953c35acdb62e7c08ae8e33f7cb2
2016-11-10 10:33:51 +11:00
djm@openbsd.org
010359b326 upstream commit
Validate address ranges for AllowUser/DenyUsers at
configuration load time and refuse to accept bad ones. It was previously
possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and
these would always match.

Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)

Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb
2016-11-06 16:48:29 +11:00
markus@openbsd.org
6cb6dcffe1 upstream commit
remove ssh1 server code; ok djm@

Upstream-ID: c24c0c32c49b91740d5a94ae914fb1898ea5f534
2016-08-14 11:19:14 +10:00
dtucker@openbsd.org
e690fe8575 upstream commit
Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message
about forward and reverse DNS not matching.  We haven't supported IP-based
auth methods for a very long time so it's now misleading.  part of bz#2585,
ok markus@

Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29
2016-06-15 12:06:33 +10:00
Darren Tucker
885fb2a44f auth_get_canonical_hostname in portable code.
"refactor canohost.c" replaced get_canonical_hostname, this makes the
same change to some portable-specific code.
2016-03-08 11:58:43 +11:00
djm@openbsd.org
95767262ca upstream commit
refactor canohost.c: move functions that cache results closer
 to the places that use them (authn and session code). After this, no state is
 cached in canohost.c

feedback and ok markus@

Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
2016-03-08 06:20:35 +11:00
djm@openbsd.org
32a181980c upstream commit
fix inverted logic that broke PermitRootLogin; reported
 by Mantas Mikulenas; ok markus@

Upstream-ID: 260dd6a904c1bb7e43267e394b1c9cf70bdd5ea5
2015-08-21 13:43:25 +10:00
deraadt@openbsd.org
1dc8d93ce6 upstream commit
add prohibit-password as a synonymn for without-password,
 since the without-password is causing too many questions.  Harden it to ban
 all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
 djm, ok markus

Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
2015-08-11 18:57:29 +10:00
djm@openbsd.org
7e8528cad0 upstream commit
make handling of AuthorizedPrincipalsFile=none more
 consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
2015-05-10 11:54:56 +10:00
djm@openbsd.org
6f621603f9 upstream commit
don't leak validity of user in "too many authentication
 failures" disconnect message; reported by Sebastian Reitenbach
2015-02-26 04:32:08 +11:00
deraadt@openbsd.org
087266ec33 upstream commit
Reduce use of <sys/param.h> and transition to <limits.h>
 throughout. ok djm markus
2015-01-26 23:58:53 +11:00