Commit Graph

219 Commits

Author SHA1 Message Date
markus@openbsd.org
84008608c9 upstream commit
use SO_ZEROIZE for privsep communication (if available)

Upstream-ID: abcbb6d2f8039fc4367a6a78096e5d5c39de4a62
2017-06-01 14:55:23 +10:00
markus@openbsd.org
1e0cdf8efb upstream commit
clear session keys from memory; ok djm@

Upstream-ID: ecd178819868975affd5fd6637458b7c712b6a0f
2017-06-01 14:54:46 +10:00
markus@openbsd.org
00ed75c92d upstream commit
switch auth2-pubkey.c to modern APIs; with & ok djm@

Upstream-ID: 8f08d4316eb1b0c4ffe4a206c05cdd45ed1daf07
2017-05-31 10:47:31 +10:00
markus@openbsd.org
54d90ace1d upstream commit
switch from Key typedef with struct sshkey; ok djm@

Upstream-ID: 3067d33e04efbe5131ce8f70668c47a58e5b7a1f
2017-05-31 10:47:31 +10:00
djm@openbsd.org
f1a193464a upstream commit
use ssh_packet_set_log_preamble() to include connection
username in packet log messages, e.g.

Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]

ok markus@ bz#113

Upstream-ID: 3591b88bdb5416d6066fb3d49d8fff2375bf1a15
2017-02-04 10:09:43 +11:00
djm@openbsd.org
0082fba4ef upstream commit
Remove support for pre-authentication compression. Doing
compression early in the protocol probably seemed reasonable in the 1990s,
but today it's clearly a bad idea in terms of both cryptography (cf. multiple
compression oracle attacks in TLS) and attack surface.

Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.

Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@

NB. pre-auth authentication has been disabled by default in sshd
for >10 years.

Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
2016-09-29 03:11:32 +10:00
djm@openbsd.org
b33ad6d997 upstream commit
enforce expected request flow for GSSAPI calls; thanks to
Jakub Jelen for testing; ok markus@

Upstream-ID: d4bc0e70e1be403735d3d9d7e176309b1fd626b9
2016-09-12 13:33:52 +10:00
Damien Miller
775f8a23f2 tighten PAM monitor calls
only allow kbd-interactive ones when that authentication method is
enabled. Prompted by Solar Designer
2016-08-31 10:48:07 +10:00
djm@openbsd.org
7fd0ea8a1d upstream commit
restrict monitor auth calls to be allowed only when their
respective authentication methods are enabled in the configuration.

prompted by Solar Designer; ok markus dtucker

Upstream-ID: 6eb3f89332b3546d41d6dbf5a8e6ff920142b553
2016-08-31 10:37:09 +10:00
Damien Miller
b38b95f5bc Tighten monitor state-machine flow for PAM calls
(attack surface reduction)
2016-08-29 11:49:16 +10:00
djm@openbsd.org
83b581862a upstream commit
remove UseLogin option and support for having /bin/login
manage login sessions; ok deraadt markus dtucker

Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
2016-08-23 14:29:07 +10:00
markus@openbsd.org
6cb6dcffe1 upstream commit
remove ssh1 server code; ok djm@

Upstream-ID: c24c0c32c49b91740d5a94ae914fb1898ea5f534
2016-08-14 11:19:14 +10:00
djm@openbsd.org
c36d91bd4e upstream commit
move debug("%p", key) to before key is free'd; probable
undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581

Upstream-ID: 767f323e1f5819508a0e35e388ec241bac2f953a
2016-07-22 14:06:27 +10:00
Darren Tucker
01558b7b07 Handle PAM_MAXTRIES from modules.
bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer
password and keyboard-interative authentication methods.  Should prevent
"sshd ignoring max retries" warnings in the log.  ok djm@

It probably won't trigger with keyboard-interactive in the default
configuration because the retry counter is stored in module-private
storage which goes away with the sshd PAM process (see bz#688).  On the
other hand, those cases probably won't log a warning either.
2016-07-18 09:33:25 +10:00
djm@openbsd.org
0e8eeec8e7 upstream commit
add support for additional fixed DH groups from
 draft-ietf-curdle-ssh-kex-sha2-03

diffie-hellman-group14-sha256 (2K group)
diffie-hellman-group16-sha512 (4K group)
diffie-hellman-group18-sha512 (8K group)

based on patch from Mark D. Baushke and Darren Tucker
ok markus@

Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
2016-05-02 20:39:32 +10:00
djm@openbsd.org
1a31d02b24 upstream commit
fix signed/unsigned errors reported by clang-3.7; add
 sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with
 better safety checking; feedback and ok markus@

Upstream-ID: 71f926d9bb3f1efed51319a6daf37e93d57c8820
2016-05-02 20:35:04 +10:00
djm@openbsd.org
95767262ca upstream commit
refactor canohost.c: move functions that cache results closer
 to the places that use them (authn and session code). After this, no state is
 cached in canohost.c

feedback and ok markus@

Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
2016-03-08 06:20:35 +11:00
djm@openbsd.org
24c9bded56 upstream commit
memleak of algorithm name in mm_answer_sign; reported by
 Jakub Jelen

Upstream-ID: ccd742cd25952240ebd23d7d4d6b605862584d08
2016-02-16 10:44:01 +11:00
markus@openbsd.org
a306863831 upstream commit
remove roaming support; ok djm@

Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
2016-01-27 16:54:10 +11:00
markus@openbsd.org
76c9fbbe35 upstream commit
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
 (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
 draft-ssh-ext-info-04.txt; with & ok djm@

Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
2015-12-07 12:38:58 +11:00
Damien Miller
ac9473580d fix multiple authentication using S/Key w/ privsep
bz#2502, patch from Kevin Korb and feandil_
2015-11-20 12:35:41 +11:00
mmcc@openbsd.org
7d6c036203 upstream commit
Compare pointers to NULL rather than 0.

ok djm@

Upstream-ID: 21616cfea27eda65a06e772cc887530b9a1a27f8
2015-10-25 11:42:04 +11:00
djm@openbsd.org
f54d8ac247 upstream commit
don't record hostbased authentication hostkeys as user
 keys in test for multiple authentication with the same key

Upstream-ID: 26b368fa2cff481f47f37e01b8da1ae5b57b1adc
2015-09-04 16:57:01 +10:00
jsg@openbsd.org
f3a3ea180a upstream commit
Fix occurrences of "r = func() != 0" which result in the
 wrong error codes being returned due to != having higher precedence than =.

ok deraadt@ markus@

Upstream-ID: 5fc35c9fc0319cc6fca243632662d2f06b5fd840
2015-09-03 10:44:41 +10:00
deraadt@openbsd.org
e774e5ea56 upstream commit
Improve size == 0, count == 0 checking in mm_zalloc,
 which is "array" like. Discussed with tedu, millert, otto.... and ok djm

Upstream-ID: 899b021be43b913fad3eca1aef44efe710c53e29
2015-08-22 11:17:06 +10:00
Damien Miller
5e75f51987 set sshpam_ctxt to NULL after free
Avoids use-after-free in monitor when privsep child is compromised.
Reported by Moritz Jodeit; ok dtucker@
2015-08-11 13:36:00 +10:00
Damien Miller
d4697fe9a2 Don't resend username to PAM; it already has it.
Pointed out by Moritz Jodeit; ok dtucker@
2015-08-11 13:36:00 +10:00
djm@openbsd.org
9488538a72 upstream commit
Don't count successful partial authentication as failures
 in monitor; this may have caused the monitor to refuse multiple
 authentications that would otherwise have successfully completed; ok markus@

Upstream-ID: eb74b8e506714d0f649bd5c300f762a527af04a3
2015-06-23 10:34:47 +10:00
djm@openbsd.org
179be0f5e6 upstream commit
prevent authorized_keys options picked up on public key
 tests without a corresponding private key authentication being applied to
 other authentication methods. Reported by halex@, ok markus@
2015-05-10 11:54:10 +10:00
djm@openbsd.org
e661a86353 upstream commit
Remove pattern length argument from match_pattern_list(), we
 only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@
2015-05-10 11:38:04 +10:00
djm@openbsd.org
734226b448 upstream commit
fix compilation with OPENSSL=no; ok dtucker@
2015-04-29 18:19:05 +10:00
djm@openbsd.org
17d4d9d9fb upstream commit
don't call record_login() in monitor when UseLogin is
 enabled; bz#278 reported by drk AT sgi.com; ok dtucker
2015-04-29 18:13:34 +10:00
Damien Miller
9af21979c0 don't include stdint.h unless HAVE_STDINT_H set 2015-02-24 09:04:32 +11:00
Darren Tucker
f2004cd1ad Repair for non-ECC OpenSSL.
Ifdef out the ECC parts when building with an OpenSSL that doesn't have
it.
2015-02-23 05:04:21 +11:00
djm@openbsd.org
44732de068 upstream commit
UpdateHostKeys fixes:

I accidentally changed the format of the hostkeys@openssh.com messages
last week without changing the extension name, and this has been causing
connection failures for people who are running -current. First reported
by sthen@

s/hostkeys@openssh.com/hostkeys-00@openssh.com/
Change the name of the proof message too, and reorder it a little.

Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY
available to read the response) so disable UpdateHostKeys if it is in
ask mode and ControlPersist is active (and document this)
2015-02-21 09:20:28 +11:00
Damien Miller
773dda25e8 repair --without-openssl; broken in refactor 2015-02-18 22:29:32 +11:00
djm@openbsd.org
523463a3a2 upstream commit
Revise hostkeys@openssh.com hostkey learning extension.

The client will not ask the server to prove ownership of the private
halves of any hitherto-unseen hostkeys it offers to the client.

Allow UpdateHostKeys option to take an 'ask' argument to let the
user manually review keys offered.

ok markus@
2015-02-17 09:32:32 +11:00
markus@openbsd.org
02db468bf7 upstream commit
make rekey_limit for sshd w/privsep work; ok djm@
 dtucker@
2015-02-17 09:32:30 +11:00
millert@openbsd.org
fd36834871 upstream commit
SIZE_MAX is standard, we should be using it in preference to
 the obsolete SIZE_T_MAX.  OK miod@ beck@
2015-02-09 09:28:17 +11:00
deraadt@openbsd.org
087266ec33 upstream commit
Reduce use of <sys/param.h> and transition to <limits.h>
 throughout. ok djm markus
2015-01-26 23:58:53 +11:00
markus@openbsd.org
57d10cbe86 upstream commit
adapt kex to sshbuf and struct ssh; ok djm@
2015-01-20 09:19:39 +11:00
markus@openbsd.org
091c302829 upstream commit
update packet.c & isolate, introduce struct ssh a) switch
 packet.c to buffer api and isolate per-connection info into struct ssh b)
 (de)serialization of the state is moved from monitor to packet.c c) the old
 packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and
 integrated into packet.c with and ok djm@
2015-01-20 09:13:01 +11:00
djm@openbsd.org
141efe4954 upstream commit
move authfd.c and its tentacles to the new buffer/key
 API; ok markus@
2015-01-15 21:37:34 +11:00
djm@openbsd.org
1f729f0614 upstream commit
add sshd_config HostbasedAcceptedKeyTypes and
 PubkeyAcceptedKeyTypes options to allow sshd to control what public key types
 will be accepted. Currently defaults to all. Feedback & ok markus@
2015-01-13 19:27:18 +11:00
djm@openbsd.org
f69b69b862 upstream commit
remember which public keys have been used for
 authentication and refuse to accept previously-used keys.

This allows AuthenticationMethods=publickey,publickey to require
that users authenticate using two _different_ pubkeys.

ok markus@
2014-12-22 19:06:52 +11:00
Damien Miller
146218ac11 - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth
monitor, not preauth; bz#2263
2014-08-27 04:11:55 +10:00
Damien Miller
7acefbbcbe - millert@cvs.openbsd.org 2014/07/15 15:54:14
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
     [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
     [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
     [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
     [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
     [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
     [sshd_config.5 sshlogin.c]
     Add support for Unix domain socket forwarding.  A remote TCP port
     may be forwarded to a local Unix domain socket and vice versa or
     both ends may be a Unix domain socket.  This is a reimplementation
     of the streamlocal patches by William Ahern from:
         http://www.25thandclement.com/~william/projects/streamlocal.html
     OK djm@ markus@
2014-07-18 14:11:24 +10:00
Damien Miller
8668706d0f - djm@cvs.openbsd.org 2014/06/24 01:13:21
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
     [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
     [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
     [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
     [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
     [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
     [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
     [sshconnect2.c sshd.c sshkey.c sshkey.h
     [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
     New key API: refactor key-related functions to be more library-like,
     existing API is offered as a set of wrappers.

     with and ok markus@

     Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
     Dempsky and Ron Bowes for a detailed review a few months ago.

     NB. This commit also removes portable OpenSSH support for OpenSSL
     <0.9.8e.
2014-07-02 15:28:02 +10:00
Damien Miller
c31a0cd5b3 - markus@cvs.openbsd.org 2014/05/03 17:20:34
[monitor.c packet.c packet.h]
     unbreak compression, by re-init-ing the compression code in the
     post-auth child. the new buffer code is more strict, and requires
     buffer_init() while the old code was happy after a bzero();
     originally from djm@
2014-05-15 14:37:39 +10:00
Damien Miller
1f0311c7c7 - markus@cvs.openbsd.org 2014/04/29 18:01:49
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
     [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
     [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
     [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
     make compiling against OpenSSL optional (make OPENSSL=no);
     reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
     allows us to explore further options; with and ok djm
2014-05-15 14:24:09 +10:00