Commit Graph

425 Commits

Author SHA1 Message Date
djm@openbsd.org
0bf6e5bb75
upstream: reduce logingrace penalty.
A single forgotton login that times out should be below the penalty
threshold.

ok deraadt/claudio

OpenBSD-Commit-ID: cee1f7d17597c97bff8e5092af5d136fdb08f81d
2024-07-26 09:49:08 +10:00
Damien Miller
b2c64bc170
add a sshd_config PamServiceName option
Allows selecting which PAM service name to use when UsePAM is
enabled. Defaults to "sshd" unless overridden at compile time
by defining SSHD_PAM_SERVICE.

bz2102, ok dtucker@
2024-06-14 14:20:54 +10:00
djm@openbsd.org
4de80ff4e6
upstream: split PerSourcePenalties address tracking. Previously it
used one shared table and overflow policy for IPv4 and IPv6 addresses, now it
will use separate tables and optionally different overflow policies.

This prevents misbehaviour from IPv6 addresses (which are vastly easier
to obtain many of) from affecting IPv4 connections and may allow for
stricter overflow policies.

ok deraadt@

OpenBSD-Commit-ID: 12637ed0aa4d5f1f3e702da42ea967cbd8bfdfd9
2024-06-13 08:36:41 +10:00
djm@openbsd.org
a59634c7ad
upstream: correct error message
OpenBSD-Commit-ID: 581f60f73099083392887206860229ab104620ed
2024-06-11 11:26:50 +10:00
djm@openbsd.org
0e0c69761a
upstream: enable PerSourcePenalties by default.
ok markus

NB. if you run a sshd that accepts connections from behind large NAT
blocks, proxies or anything else that aggregates many possible users
behind few IP addresses, then this change may cause legitimate traffic
to be denied.

Please read the PerSourcePenalties, PerSourcePenaltyExemptList and
PerSourceNetBlockSize options in sshd_config(5) for how to tune your
sshd(8) for your specific circumstances.

OpenBSD-Commit-ID: 24a0e5c23d37e5a63e16d2c6da3920a51078f6ce
2024-06-07 06:26:15 +10:00
djm@openbsd.org
81c1099d22
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.

When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).

When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).

Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.

We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.

PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.

much feedback markus@ and others, ok markus@

OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
2024-06-07 03:35:40 +10:00
djm@openbsd.org
92e5589031
upstream: fix incorrect debug option name introduce in previous
commit

OpenBSD-Commit-ID: 66d69e22b1c072c694a7267c847f212284614ed3
2024-05-17 14:41:38 +10:00
djm@openbsd.org
03e3de416e
upstream: Start the process of splitting sshd into separate
binaries. This step splits sshd into a listener and a session binary. More
splits are planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

OpenBSD-Commit-ID: 43c04a1ab96cdbdeb53d2df0125a6d42c5f19934
2024-05-17 14:41:35 +10:00
djm@openbsd.org
65a44a8a4f
upstream: Separate parsing of string array options from applying them
to the active configuration. This fixes the config parser from erroneously
rejecting cases like:

AuthenticationMethods password
Match User ivy
 AuthenticationMethods any

bz3657 ok markus@

OpenBSD-Commit-ID: 7f196cba634c2a3dba115f3fac3c4635a2199491
2024-03-04 14:46:46 +11:00
djm@openbsd.org
ee6d932acb
upstream: don't append a gratuitous space to the end of subsystem
arguments; bz3667

OpenBSD-Commit-ID: e11023aeb3f30b77a674e37b8292c862926d5dc6
2024-02-20 15:10:55 +11:00
djm@openbsd.org
a752a6c0e1
upstream: add ChannelTimeout support to the client, mirroring the
same option in the server. ok markus@

OpenBSD-Commit-ID: 55630b26f390ac063980cfe7ad8c54b03284ef02
2023-10-12 10:00:13 +11:00
djm@openbsd.org
bd1b9e52f5
upstream: fix sizeof(*ptr) instead sizeof(ptr) in realloc (pointer here
is char**, so harmless); spotted in CID 416964

OpenBSD-Commit-ID: c61caa4a5a667ee20bb1042098861e6c72c69002
2023-09-08 16:35:40 +10:00
djm@openbsd.org
8a1450c620
upstream: allow override of Sybsystem directives in sshd Match
blocks

OpenBSD-Commit-ID: 3911d18a826a2d2fe7e4519075cf3e57af439722
2023-09-07 09:54:47 +10:00
djm@openbsd.org
6e52826e2a
upstream: allocate the subsystems array as necessary and remove the
fixed limit of subsystems. Saves a few kb of memory in the server and makes
it more like the other options.

OpenBSD-Commit-ID: e683dfca6bdcbc3cc339bb6c6517c0c4736a547f
2023-09-07 09:54:01 +10:00
djm@openbsd.org
e19069c9fa
upstream: preserve quoting of Subsystem commands and arguments.
This may change behaviour of exotic configurations, but the most common
subsystem configuration (sftp-server) is unlikely to be affected.

OpenBSD-Commit-ID: 8ffa296aeca981de5b0945242ce75aa6dee479bf
2023-09-07 09:54:01 +10:00
djm@openbsd.org
52dfe3c72d
upstream: downgrade duplicate Subsystem directives from being a
fatal error to being a debug message to match behaviour with just about all
other directives.

OpenBSD-Commit-ID: fc90ed2cc0c18d4eb8e33d2c5e98d25f282588ce
2023-09-07 09:54:00 +10:00
djm@openbsd.org
f98031773d
upstream: make PerSourceMaxStartups first-match-wins; ok dtucker@
OpenBSD-Commit-ID: dac0c24cb709e3c595b8b4f422a0355dc5a3b4e7
2023-08-29 15:01:47 +10:00
djm@openbsd.org
dc1dbe94cf
upstream: move other RCSIDs to before their respective license blocks
too no code change

OpenBSD-Commit-ID: ef5bf46b57726e4260a63b032b0b5ac3b4fe9cd4
2023-07-17 15:33:51 +10:00
djm@openbsd.org
c1c2ca1365
upstream: better validate CASignatureAlgorithms in ssh_config and
sshd_config.

Previously this directive would accept certificate algorithm names, but
these were unusable in practice as OpenSSH does not support CA chains.

part of bz3577; ok dtucker@

OpenBSD-Commit-ID: a992d410c8a78ec982701bc3f91043dbdb359912
2023-06-21 15:13:56 +10:00
millert@openbsd.org
b53a809a54
upstream: Store timeouts as int, not u_int as they are limited to
INT_MAX. Fixes sign compare warnings systems with 32-bit time_t due to type
promotion.  OK djm@

OpenBSD-Commit-ID: 48081e9ad35705c5f1705711704a4c2ff94e87b7
2023-06-20 10:07:06 +10:00
djm@openbsd.org
fcd78e31cd
upstream: fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
appears previously in configuration. Reported by John Meyers in bz3574 ok
dtucker@

OpenBSD-Commit-ID: 1c92e4517284386703936e1d3abaa36cfacf1951
2023-05-25 09:42:00 +10:00
dtucker@openbsd.org
fc7f8f2188
upstream: Remove unused compat.h includes.
We've previously removed a lot of the really old compatibility code,
and with it went the need to include compat.h in most of the files that
have it.

OpenBSD-Commit-ID: 5af8baa194be00a3092d17598e88a5b29f7ea2b4
2023-03-05 19:27:31 +11:00
djm@openbsd.org
d1c1b3272e
upstream: actually print "channeltimeout none" in config dump mode;
spotted via Coverity CID 405022

OpenBSD-Commit-ID: b074b52bf138b75f08264e8da15880b29c7a630f
2023-03-03 16:12:04 +11:00
djm@openbsd.org
0293c19807
upstream: Add a sshd_config UnusedConnectionTimeout option to terminate
client connections that have no open channels for some length of time. This
complements the recently-added ChannelTimeout option that terminates inactive
channels after a timeout.

ok markus@

OpenBSD-Commit-ID: ca983be74c0350364c11f8ba3bd692f6f24f5da9
2023-01-17 20:50:41 +11:00
djm@openbsd.org
2d1ff2b943
upstream: Implement channel inactivity timeouts
This adds a sshd_config ChannelTimeouts directive that allows channels that
have not seen traffic in a configurable interval to be automatically closed.
Different timeouts may be applied to session, X11, agent and TCP forwarding
channels.

Note: this only affects channels over an opened SSH connection and not
the connection itself. Most clients close the connection when their channels
go away, with a notable exception being ssh(1) in multiplexing mode.

ok markus dtucker

OpenBSD-Commit-ID: ae8bba3ed9d9f95ff2e2dc8dcadfa36b48e6c0b8
2023-01-06 16:23:16 +11:00
dtucker@openbsd.org
747691604d
upstream: Remove some set but otherwise unused variables, spotted
in -portable by clang 16's -Wunused-but-set-variable.  ok djm@

OpenBSD-Commit-ID: 3d943ddf2369b38fbf89f5f19728e7dc1daf3982
2022-11-07 22:22:15 +11:00
dtucker@openbsd.org
1d78d25653
upstream: Check for and disallow MaxStartups values less than or
equal to zero during config parsing, rather than faling later at runtime.
bz#3489, ok djm@

OpenBSD-Commit-ID: d79c2b7a8601eb9be493629a91245d761154308b
2022-11-07 22:22:06 +11:00
djm@openbsd.org
1875042c52
upstream: Add RequiredRSASize for sshd(8); RSA keys that fall
beneath this limit will be ignored for user and host-based authentication.

Feedback deraadt@ ok markus@

OpenBSD-Commit-ID: 187931dfc19d51873df5930a04f2d972adf1f7f1
2022-09-17 20:39:02 +10:00
djm@openbsd.org
22e1a3a71a upstream: Make SetEnv directives first-match-wins in both
sshd_config and sshd_config; previously if the same name was reused then the
last would win (which is the opposite to how the config is supposed to work).

While there, make the ssh_config parsing more like sshd_config.

bz3438, ok dtucker

OpenBSD-Commit-ID: 797909c1e0262c0d00e09280459d7ab00f18273b
2022-06-03 14:33:18 +10:00
djm@openbsd.org
731087d261 upstream: don't try to resolve ListenAddress directives in the sshd
re-exec path - we're never going to use the result and if the operation fails
then it can prevent connections from being accepted. Reported by Aaron
Poffenberger; with / ok dtucker@

OpenBSD-Commit-ID: 44c53a43909a328e2f5ab26070fdef3594eded60
2022-03-20 19:54:35 +11:00
dtucker@openbsd.org
45279abceb upstream: Switch hpdelim interface to accept only ":" as delimiter.
Historicallly, hpdelim accepted ":" or "/" as a port delimiter between
hosts (or addresses) and ports.  These days most of the uses for "/"
are no longer accepted, so there are several places where it checks the
delimiter to disallow it.  Make hpdelim accept only ":" and use hpdelim2
in the other cases.  ok djm@

OpenBSD-Commit-ID: 7e6420bd1be87590b6840973f5ad5305804e3102
2022-02-10 15:14:17 +11:00
millert@openbsd.org
37616807f1 upstream: revision 1.381 neglected to remove
sChallengeResponseAuthentication from the enum.  Noticed by
christos@zoulas.com.  OK dtucker@

OpenBSD-Commit-ID: b533283a4dd6d04a867da411a4c7a8fbc90e34ff
2021-09-07 16:05:36 +10:00
Darren Tucker
bfe19197a9 Remove now-unused SSHv1 enums.
sRhostsRSAAuthentication and sRSAAuthentication are protocol 1 options
and are no longer used.
2021-07-02 15:43:28 +10:00
dtucker@openbsd.org
c73b02d92d upstream: Remove references to ChallengeResponseAuthentication in
favour of KbdInteractiveAuthentication.  The former is what was in SSHv1, the
latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but
not entirely equivalent.  We retain the old name as deprecated alias so
config files continue to work and a reference in the man page for people
looking for it.

Prompted by bz#3303 which pointed out the discrepancy between the two
when used with Match.  Man page help & ok jmc@, with & ok djm@

OpenBSD-Commit-ID: 2c1bff8e5c9852cfcdab1f3ea94dfef5a22f3b7e
2021-07-02 15:39:29 +10:00
djm@openbsd.org
a10f929d1c upstream: switch sshd_config parsing to argv_split()
similar to the previous commit, this switches sshd_config parsing to
the newer tokeniser. Config parsing will be a little stricter wrt
quote correctness and directives appearing without arguments.

feedback and ok markus@

tested in snaps for the last five or so days - thanks Theo and those who
caught bugs

OpenBSD-Commit-ID: 9c4305631d20c2d194661504ce11e1f68b20d93e
2021-06-08 17:17:15 +10:00
djm@openbsd.org
31d8d231eb upstream: highly polished whitespace, mostly fixing spaces-for-tab
and bad indentation on continuation lines. Prompted by GHPR#185

OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
2021-04-03 17:23:02 +11:00
dtucker@openbsd.org
88057eb6df upstream: Add ModuliFile keyword to sshd_config to specify the
location of the "moduli" file containing the groups for DH-GEX.  This will
allow us to run tests against arbitrary moduli files without having to
install them. ok djm@

OpenBSD-Commit-ID: 8df99d60b14ecaaa28f3469d01fc7f56bff49f66
2021-03-13 13:14:13 +11:00
dtucker@openbsd.org
b9225c3a1c upstream: Put obsolete aliases for hostbasedalgorithms and
pubkeyacceptedalgorithms after their current names so that the config-dump
mode finds and uses the current names.  Spotted by Phil Pennock.

OpenBSD-Commit-ID: 5dd10e93cccfaff3aaaa09060c917adff04a9b15
2021-02-25 00:28:45 +11:00
markus@openbsd.org
b696858a7f upstream: factor out opt_array_append; ok djm@
OpenBSD-Commit-ID: 571bc5dd35f99c5cf9de6aaeac428b168218e74a
2021-02-17 15:03:41 +11:00
dtucker@openbsd.org
e9f78d6b06 upstream: Rename HostbasedKeyTypes (ssh) and
HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more
accurately reflects its effect. This matches a previous change to
PubkeyAcceptedAlgorithms.  The previous names are retained as aliases.  ok
djm@

OpenBSD-Commit-ID: 49451c382adc6e69d3fa0e0663eeef2daa4b199e
2021-01-26 22:50:40 +11:00
dtucker@openbsd.org
ee9c0da803 upstream: Rename PubkeyAcceptedKeyTypes keyword to
PubkeyAcceptedAlgorithms. While the two were originally equivalent, this
actually specifies the signature algorithms that are accepted.  Some key
types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512)
so the old name is becoming increasingly misleading.  The old name is
retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@

OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5
2021-01-22 15:03:56 +11:00
dtucker@openbsd.org
7d0f8a3369 upstream: Correct spelling of persourcenetblocksize in config-dump
mode.

OpenBSD-Commit-ID: ecdc49e2b6bde6b6b0e52163d621831f6ac7b13d
2021-01-11 16:35:44 +11:00
dtucker@openbsd.org
3a92312953 upstream: Add PerSourceMaxStartups and PerSourceNetBlockSize
options which provide more fine grained MaxStartups limits.  Man page help
jmc@, feedback & ok djm@

OpenBSD-Commit-ID: e2f68664e3d02c0895b35aa751c48a2af622047b
2021-01-11 15:04:12 +11:00
djm@openbsd.org
816036f142 upstream: use the new variant log macros instead of prepending
__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
2020-10-18 23:46:29 +11:00
djm@openbsd.org
793b583d09 upstream: LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern-
lists.

ok markus@

OpenBSD-Commit-ID: c294c25732d1b4fe7e345cb3e044df00531a6356
2020-10-17 00:43:17 +11:00
Sebastian Andrzej Siewior
8372bff3a8 Remove HAVE_MMAP and BROKEN_MMAP
BROKEN_MMAP is no longer defined since commit
   1cfd5c06ef ("Remove portability support for mmap")

this commit also removed other HAVE_MMAP user. I didn't find anything
that defines HAVE_MMAP. The check does not trigger because compression
on server side is by default COMP_DELAYED (2) so it never triggers.

Remove remaining HAVE_MMAP and BROKEN_MMAP bits.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
2020-09-11 13:18:42 +10:00
dtucker@openbsd.org
72730249b3 upstream: Check that the addresses supplied to Match Address and
Match LocalAddress are valid when parsing in config-test mode.  This will
catch address/mask mismatches before they cause problems at runtime. Found by
Daniel Stocker, ok djm@

OpenBSD-Commit-ID: 2d0b10c69fad5d8fda4c703e7c6804935289378b
2020-08-31 14:34:34 +10:00
djm@openbsd.org
801c9f095e upstream: support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.

feedback and ok markus@

OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
2020-08-27 11:28:36 +10:00
djm@openbsd.org
6d755706a0 upstream: some language improvements; ok markus
OpenBSD-Commit-ID: 939d787d571b4d5da50b3b721fd0b2ac236acaa8
2020-07-15 15:07:42 +10:00
markus@openbsd.org
250246fef2 upstream: support loading big sshd_config files w/o realloc; ok
djm

OpenBSD-Commit-ID: ba9238e810074ac907f0cf8cee1737ac04983171
2020-06-26 15:18:44 +10:00