Commit Graph

6406 Commits

Author SHA1 Message Date
Damien Miller
6d7b4377dd - djm@cvs.openbsd.org 2011/06/22 22:08:42
[channels.c channels.h clientloop.c clientloop.h mux.c ssh.c]
     hook up a channel confirm callback to warn the user then requested X11
     forwarding was refused by the server; ok markus@
2011-06-23 08:31:57 +10:00
Damien Miller
69ff1df952 - djm@cvs.openbsd.org 2011/06/22 21:57:01
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
     [sandbox-systrace.c sandbox.h configure.ac Makefile.in]
     introduce sandboxing of the pre-auth privsep child using systrace(4).

     This introduces a new "UsePrivilegeSeparation=sandbox" option for
     sshd_config that applies mandatory restrictions on the syscalls the
     privsep child can perform. This prevents a compromised privsep child
     from being used to attack other hosts (by opening sockets and proxying)
     or probing local kernel attack surface.

     The sandbox is implemented using systrace(4) in unsupervised "fast-path"
     mode, where a list of permitted syscalls is supplied. Any syscall not
     on the list results in SIGKILL being sent to the privsep child. Note
     that this requires a kernel with the new SYSTR_POLICY_KILL option.

     UsePrivilegeSeparation=sandbox will become the default in the future
     so please start testing it now.

     feedback dtucker@; ok markus@
2011-06-23 08:30:03 +10:00
Damien Miller
82c558761d - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2011/06/22 21:47:28
     [servconf.c]
     reuse the multistate option arrays to pretty-print options for "sshd -T"
2011-06-23 08:20:30 +10:00
Damien Miller
4ac99c366c - djm@cvs.openbsd.org 2011/06/17 21:57:25
[clientloop.c]
     setproctitle for a mux master that has been gracefully stopped;
     bz#1911 from Bert.Wesarg AT googlemail.com
2011-06-20 14:43:31 +10:00
Damien Miller
33322127ec - djm@cvs.openbsd.org 2011/06/17 21:47:35
[servconf.c]
     factor out multi-choice option parsing into a parse_multistate label
     and some support structures; ok dtucker@
2011-06-20 14:43:11 +10:00
Damien Miller
f145a5be1c - djm@cvs.openbsd.org 2011/06/17 21:46:16
[sftp-server.c]
     the protocol version should be unsigned; bz#1913 reported by mb AT
     smartftp.com
2011-06-20 14:42:51 +10:00
Damien Miller
8f0bf237d4 - djm@cvs.openbsd.org 2011/06/17 21:44:31
[log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h sshd.c]
     make the pre-auth privsep slave log via a socketpair shared with the
     monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@
2011-06-20 14:42:23 +10:00
Damien Miller
e7ac2bd42a - markus@cvs.openbsd.org 2011/06/14 22:49:18
[authfile.c]
     make sure key_parse_public/private_rsa1() no longer consumes its input
     buffer.  fixes ssh-add for passphrase-protected ssh1-keys;
     noted by naddy@; ok djm@
2011-06-20 14:23:25 +10:00
Damien Miller
6029e076b2 - djm@cvs.openbsd.org 2011/06/04 00:10:26
[ssh_config.5]
     explain IdentifyFile's semantics a little better, prompted by bz#1898
     ok dtucker jmc
2011-06-20 14:22:49 +10:00
Tim Rice
bc481570d1 - (tim) [regress/cfgmatch.sh] Build/test out of tree fix. 2011-06-02 22:26:19 -07:00
Darren Tucker
bf4d05a37c - dtucker@cvs.openbsd.org 2011/06/03 00:29:52
[regress/dynamic-forward.sh]
     Retry establishing the port forwarding after a small delay, should make
     the tests less flaky when the previous test is slow to shut down and free
     up the port.
2011-06-03 14:19:02 +10:00
Darren Tucker
75e035c34e - dtucker@cvs.openbsd.org 2011/05/31 02:03:34
[regress/dynamic-forward.sh]
     work around startup and teardown races; caught by deraadt
2011-06-03 14:18:17 +10:00
Darren Tucker
260c8fbc4d - dtucker@cvs.openbsd.org 2011/05/31 02:01:58
[regress/dynamic-forward.sh]
     back out revs 1.6 and 1.5 since it's not reliable
2011-06-03 14:17:27 +10:00
Darren Tucker
3e78a516a0 - dtucker@cvs.openbsd.org 2011/06/03 01:37:40
[ssh-agent.c]
     Check current parent process ID against saved one to determine if the parent
     has exited, rather than attempting to send a zero signal, since the latter
     won't work if the parent has changed privs.  bz#1905, patch from Daniel Kahn
     Gillmor, ok djm@
2011-06-03 14:14:16 +10:00
Damien Miller
c09182f613 - (djm) [configure.ac] enable setproctitle emulation for OS X 2011-06-03 12:11:38 +10:00
Damien Miller
ea2c1a4dc6 - djm@cvs.openbsd.org 2011/06/03 00:54:38
[ssh.c]
    bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg
    AT googlemail.com; ok dtucker@
    NB. includes additional portability code to enable setproctitle emulation
    on platforms that don't support it.
2011-06-03 12:10:22 +10:00
Darren Tucker
c3c7227ccc add missing changelog entry 2011-06-03 11:20:06 +10:00
Darren Tucker
dd9e0385ab Remove the !HAVE_SOCKETPAIR case. We use socketpair unconditionally in other
places and the survey data we have does not show any systems that use it.
"nuke it" djm@
2011-06-03 11:17:52 +10:00
Tim Rice
90f42b0705 - (tim) [configure.ac defines.h] Run test program to detect system mail
directory. Add --with-maildir option to override. Fixed OpenServer 6
   getting it wrong. Fixed many systems having MAIL=/var/mail//username
   ok dtucker
2011-06-02 18:17:49 -07:00
Darren Tucker
c412c1567b - (dtucker) [README version.h contrib/caldera/openssh.spec
contrib/redhat/openssh.spec contrib/suse/openssh.spec] Pull the version
   bumps from the 5.8p2 branch into HEAD.  ok djm.
2011-06-03 10:35:23 +10:00
Damien Miller
8cb3587336 - djm@cvs.openbsd.org 2011/05/23 03:31:31
[regress/cfgmatch.sh]
     include testing of multiple/overridden AuthorizedKeysFiles
     refactor to simply daemon start/stop and get rid of racy constructs
2011-05-29 21:59:10 +10:00
Damien Miller
295ee63ab2 - djm@cvs.openbsd.org 2011/05/24 07:15:47
[readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c]
     Remove undocumented legacy options UserKnownHostsFile2 and
     GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile
     accept multiple paths per line and making their defaults include
     known_hosts2; ok markus
2011-05-29 21:42:31 +10:00
Damien Miller
04bb56ef10 - djm@cvs.openbsd.org 2011/05/23 07:24:57
[authfile.c]
     read in key comments for v.2 keys (though note that these are not
     passed over the agent protocol); bz#439, based on patch from binder
     AT arago.de; ok markus@
2011-05-29 21:42:08 +10:00
Damien Miller
b9132fc427 - jmc@cvs.openbsd.org 2011/05/23 07:10:21
[sshd.8 sshd_config.5]
     tweak previous; ok djm
2011-05-29 21:41:40 +10:00
Damien Miller
201f425d29 - djm@cvs.openbsd.org 2011/05/23 03:52:55
[sshconnect.c]
     remove extra newline
2011-05-29 21:41:03 +10:00
Damien Miller
1dd66e5f74 - djm@cvs.openbsd.org 2011/05/23 03:33:38
[auth.c]
     make secure_filename() spam debug logs less
2011-05-29 21:40:42 +10:00
Damien Miller
d8478b6a9b OpenBSD CVS Sync
- djm@cvs.openbsd.org 2011/05/23 03:30:07
     [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5]
     allow AuthorizedKeysFile to specify multiple files, separated by spaces.
     Bring back authorized_keys2 as a default search path (to avoid breaking
     existing users of this file), but override this in sshd_config so it will
     be no longer used on fresh installs. Maybe in 2015 we can remove it
     entierly :)

     feedback and ok markus@ dtucker@
2011-05-29 21:39:36 +10:00
Damien Miller
acacced70b - dtucker@cvs.openbsd.org 2011/05/20 06:32:30
[dynamic-forward.sh]
     fix dumb error in dynamic-forward test
2011-05-20 19:08:40 +10:00
Damien Miller
7b9451f382 - dtucker@cvs.openbsd.org 2011/05/20 05:19:50
[dynamic-forward.sh]
     Prevent races in dynamic forwarding test; ok djm
2011-05-20 19:08:11 +10:00
Damien Miller
3045b45a03 - djm@cvs.openbsd.org 2011/05/20 02:43:36
[cert-hostkey.sh]
     another attempt to generate a v00 ECDSA key that broke the test
     ID sync only - portable already had this somehow
2011-05-20 19:07:45 +10:00
Damien Miller
f67188fe13 - djm@cvs.openbsd.org 2011/05/17 07:13:31
[regress/cert-userkey.sh]
     fatal() if asked to generate a legacy ECDSA cert (these don't exist)
     and fix the regress test that was trying to generate them :)
2011-05-20 19:06:48 +10:00
Damien Miller
f2e407e2dd - djm@cvs.openbsd.org 2011/05/20 03:25:45
[monitor.c monitor_wrap.c servconf.c servconf.h]
     use a macro to define which string options to copy between configs
     for Match. This avoids problems caused by forgetting to keep three
     code locations in perfect sync and ordering

     "this is at once beautiful and horrible" + ok dtucker@
2011-05-20 19:04:14 +10:00
Damien Miller
c2411909c7 - dtucker@cvs.openbsd.org 2011/05/20 02:00:19
[servconf.c]
     Add comment documenting what should be after the preauth check.  ok djm
2011-05-20 19:03:49 +10:00
Damien Miller
5d74e58e62 - djm@cvs.openbsd.org 2011/05/20 00:55:02
[servconf.c]
     the options TrustedUserCAKeys, RevokedKeysFile, AuthorizedKeysFile
     and AuthorizedPrincipalsFile were not being correctly applied in
     Match blocks, despite being overridable there; ok dtucker@
2011-05-20 19:03:31 +10:00
Damien Miller
8f639fe722 - djm@cvs.openbsd.org 2011/05/17 07:13:31
[key.c]
     fatal() if asked to generate a legacy ECDSA cert (these don't exist)
     and fix the regress test that was trying to generate them :)
2011-05-20 19:03:08 +10:00
Damien Miller
814ace0875 - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2011/05/15 08:09:01
     [authfd.c monitor.c serverloop.c]
     use FD_CLOEXEC consistently; patch from zion AT x96.org
2011-05-20 19:02:47 +10:00
Damien Miller
ec2eaa3daf - (djm) [servconf.c] remove leftover droppings of AuthorizedKeysFile2 2011-05-20 18:57:14 +10:00
Damien Miller
989bb7f0c5 - (djm) [aclocal.m4 configure.ac] since gcc-4.x ignores all -Wno-options
options, we should corresponding -W-option when trying to determine
   whether it is accepted.  Also includes a warning fix on the program
   fragment uses (bad main() return type).
   bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@
2011-05-20 18:56:30 +10:00
Damien Miller
b176362d26 - (djm) [aclocal.m4 configure.ac] since gcc-4.x ignores all -Wno-options
options, we should corresponding -W-option when trying to determine
   whether it is accepted.  Also includes a warning fix on the program
   fragment uses (bad main() return type).
   bz#1900 and bz#1901 reported by g.esp AT free.fr; ok dtucker@
2011-05-20 11:45:25 +10:00
Damien Miller
14684a1f84 - (djm) [session.c] call setexeccon() before executing passwd for pw
changes; bz#1891 reported by jchadima AT redhat.com; ok dtucker@
2011-05-20 11:23:07 +10:00
Damien Miller
23f425b48b - (djm) [packet.c] unbreak portability #endif 2011-05-15 08:58:15 +10:00
Damien Miller
9d276b8d68 - djm@cvs.openbsd.org 2011/05/13 00:05:36
[authfile.c]
     warn on unexpected key type in key_parse_private_type()
2011-05-15 08:51:43 +10:00
Damien Miller
7c1b2c4ea8 - djm@cvs.openbsd.org 2011/05/11 04:47:06
[auth.c auth.h auth2-pubkey.c pathnames.h servconf.c servconf.h]
     remove support for authorized_keys2; it is a relic from the early days
     of protocol v.2 support and has been undocumented for many years;
     ok markus@
2011-05-15 08:51:05 +10:00
Damien Miller
3219824f2d - djm@cvs.openbsd.org 2011/05/10 05:46:46
[authfile.c]
     despam debug() logs by detecting that we are trying to load a private key
     in key_try_load_public() and returning early; ok markus@
2011-05-15 08:50:32 +10:00
Damien Miller
555f3b856f - djm@cvs.openbsd.org 2011/05/08 12:52:01
[PROTOCOL.mux clientloop.c clientloop.h mux.c]
     improve our behaviour when TTY allocation fails: if we are in
     RequestTTY=auto mode (the default), then do not treat at TTY
     allocation error as fatal but rather just restore the local TTY
     to cooked mode and continue. This is more graceful on devices that
     never allocate TTYs.

     If RequestTTY is set to "yes" or "force", then failure to allocate
     a TTY is fatal.

     ok markus@
2011-05-15 08:48:05 +10:00
Damien Miller
f4b32aad05 - jmc@cvs.openbsd.org 2011/05/07 23:20:25
[ssh.1]
     +.It RequestTTY
2011-05-15 08:47:43 +10:00
Damien Miller
486dd2eadb - jmc@cvs.openbsd.org 2011/05/07 23:19:39
[ssh_config.5]
     - tweak previous
     - come consistency fixes

     ok djm
2011-05-15 08:47:18 +10:00
Damien Miller
c067f62560 - djm@cvs.openbsd.org 2011/05/06 22:20:10
[PROTOCOL.mux]
     fix numbering; from bert.wesarg AT googlemail.com
2011-05-15 08:46:54 +10:00
Damien Miller
a6bbbe4658 - djm@cvs.openbsd.org 2011/05/06 21:38:58
[ssh.c]
     fix dropping from previous diff
2011-05-15 08:46:29 +10:00
Damien Miller
21771e22d3 - djm@cvs.openbsd.org 2011/05/06 21:34:32
[clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5]
     Add a RequestTTY ssh_config option to allow configuration-based
     control over tty allocation (like -t/-T); ok markus@
2011-05-15 08:45:50 +10:00