Commit Graph

311 Commits

Author SHA1 Message Date
djm@openbsd.org
8f57495927 upstream commit
refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
2017-06-24 16:56:11 +10:00
djm@openbsd.org
54cd41a466 upstream commit
allow LogLevel in sshd_config Match blocks; ok dtucker
bz#2717

Upstream-ID: 662e303be63148f47db1aa78ab81c5c2e732baa8
2017-05-17 11:25:22 +10:00
jsg@openbsd.org
e13aad66e7 upstream commit
remove a static array unused since rev 1.306 spotted by
clang ok djm@

Upstream-ID: 249b3eed2446f6074ba2219ccc46919dd235a7b8
2017-04-28 13:26:36 +10:00
djm@openbsd.org
66705948c0 upstream commit
Mark the sshd_config UsePrivilegeSeparation option as
deprecated, effectively making privsep mandatory in sandboxing mode. ok
markus@ deraadt@

(note: this doesn't remove the !privsep code paths, though that will
happen eventually).

Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
2017-03-15 11:09:18 +11:00
dtucker@openbsd.org
67eed24bfa upstream commit
Remove old null check from config dumper.  Patch from
jjelen at redhat.com vi bz#2687, ok djm@

Upstream-ID: 824ab71467b78c4bab0dd1b3a38e8bc5f63dd528
2017-03-10 15:35:39 +11:00
djm@openbsd.org
68bc8cfa76 upstream commit
support =- for removing methods from algorithms lists,
e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
it" markus@

Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
2017-02-04 10:08:15 +11:00
djm@openbsd.org
c924b2ef94 upstream commit
allow form-feed characters at EOL; bz#2431 ok dtucker@

Upstream-ID: 1f453afaba6da2ae69d6afdf1ae79a917552f1a2
2017-02-03 16:07:27 +11:00
djm@openbsd.org
13bd2e2d62 upstream commit
sshd_config is documented to set
GSSAPIStrictAcceptorCheck=yes by default, so actually make it do this.
bz#2637 ok dtucker

Upstream-ID: 99ef8ac51f17f0f7aec166cb2e34228d4d72a665
2017-01-30 11:05:18 +11:00
djm@openbsd.org
7844f357cd upstream commit
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.

This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@

Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
2016-11-30 19:44:01 +11:00
markus@openbsd.org
f0ddedee46 upstream commit
allow ClientAlive{Interval,CountMax} in Match; ok dtucker,
djm

Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55
2016-11-24 16:07:26 +11:00
djm@openbsd.org
010359b326 upstream commit
Validate address ranges for AllowUser/DenyUsers at
configuration load time and refuse to accept bad ones. It was previously
possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and
these would always match.

Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)

Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb
2016-11-06 16:48:29 +11:00
dtucker@openbsd.org
a903e315de upstream commit
Remove dead breaks, found via opencoverage.net.  ok
deraadt@

Upstream-ID: ad9cc655829d67fad219762810770787ba913069
2016-10-26 08:52:46 +11:00
djm@openbsd.org
4577adead6 upstream commit
restore pre-auth compression support in the client -- the
previous commit was intended to remove it from the server only.

remove a few server-side pre-auth compression bits that escaped

adjust wording of Compression directive in sshd_config(5)

pointed out by naddy@ ok markus@

Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
2016-09-29 06:54:50 +10:00
djm@openbsd.org
0082fba4ef upstream commit
Remove support for pre-authentication compression. Doing
compression early in the protocol probably seemed reasonable in the 1990s,
but today it's clearly a bad idea in terms of both cryptography (cf. multiple
compression oracle attacks in TLS) and attack surface.

Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.

Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@

NB. pre-auth authentication has been disabled by default in sshd
for >10 years.

Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
2016-09-29 03:11:32 +10:00
djm@openbsd.org
ae363d74cc upstream commit
add a sIgnore opcode that silently ignores options and
use it to suppress noisy deprecation warnings for the Protocol directive.

req henning, ok markus

Upstream-ID: 9fe040aca3d6ff393f6f7e60045cdd821dc4cbe0
2016-08-29 11:20:28 +10:00
djm@openbsd.org
83b581862a upstream commit
remove UseLogin option and support for having /bin/login
manage login sessions; ok deraadt markus dtucker

Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
2016-08-23 14:29:07 +10:00
naddy@openbsd.org
c38ea63489 upstream commit
Remove more SSH1 server code: * Drop sshd's -k option. *
Retire configuration keywords that only apply to protocol 1, as well as   the
"protocol" keyword. * Remove some related vestiges of protocol 1 support.

ok markus@

Upstream-ID: 9402f82886de917779db12f8ee3f03d4decc244d
2016-08-23 13:28:30 +10:00
djm@openbsd.org
46ecd19e55 upstream commit
fix AuthenticationMethods during configuration re-parse;
reported by Juan Francisco Cantero Hurtado

Upstream-ID: 8ffa1dac25c7577eca8238e825317ab20848f9b4
2016-06-24 13:35:28 +10:00
djm@openbsd.org
b64faeb5ed upstream commit
ban AuthenticationMethods="" and accept
AuthenticationMethods=any for the default behaviour of not requiring multiple
authentication

bz#2398 from Jakub Jelen; ok dtucker@

Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27
2016-06-24 13:35:28 +10:00
dtucker@openbsd.org
9faae50e2e upstream commit
Fix inverted logic for updating StreamLocalBindMask which
 would cause the server to set an invalid mask. ok djm@

Upstream-ID: 8a4404c8307a5ef9e07ee2169fc6d8106b527587
2016-05-05 00:10:03 +10:00
djm@openbsd.org
cfefbcea10 upstream commit
fix overriding of StreamLocalBindMask and
 StreamLocalBindUnlink in Match blocks; found the hard way Rogan Dawes

Upstream-ID: 940bc69ec0249ab428d24ccd0722ce35cb932ee2
2016-05-04 01:58:46 +10:00
djm@openbsd.org
771c2f51ff upstream commit
don't forget to include StreamLocalBindUnlink in the
 config dump output

Upstream-ID: 14a6d970b3b45c8e94272e3c661e9a0b2a0ee7cb
2016-05-04 01:58:46 +10:00
djm@openbsd.org
1a31d02b24 upstream commit
fix signed/unsigned errors reported by clang-3.7; add
 sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with
 better safety checking; feedback and ok markus@

Upstream-ID: 71f926d9bb3f1efed51319a6daf37e93d57c8820
2016-05-02 20:35:04 +10:00
djm@openbsd.org
95767262ca upstream commit
refactor canohost.c: move functions that cache results closer
 to the places that use them (authn and session code). After this, no state is
 cached in canohost.c

feedback and ok markus@

Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
2016-03-08 06:20:35 +11:00
Darren Tucker
fd4e4f2416 Skip PrintLastLog in config dump mode.
When DISABLE_LASTLOG is set, do not try to include PrintLastLog in the
config dump since it'll be reported as UNKNOWN.
2016-02-24 10:44:25 +11:00
djm@openbsd.org
c5c3f3279a upstream commit
make sandboxed privilege separation the default, not just
 for new installs; "absolutely" deraadt@

Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b
2016-02-17 16:37:56 +11:00
dtucker@openbsd.org
921ff00b0a upstream commit
Allow RekeyLimits in excess of 4G up to 2**63 bits
 (limited by the return type of scan_scaled).  Part of bz#2521, ok djm.

Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
2016-01-30 11:19:13 +11:00
djm@openbsd.org
9fd04681a1 upstream commit
Support "none" as an argument for sshd_config
 ForceCommand and ChrootDirectory. Useful inside Match blocks to override a
 global default. bz#2486 ok dtucker@

Upstream-ID: 7ef478d6592bc7db5c7376fc33b4443e63dccfa5
2015-11-16 11:31:37 +11:00
djm@openbsd.org
ed08510d38 upstream commit
Fix "PubkeyAcceptedKeyTypes +..." inside a Match block;
 ok dtucker@

Upstream-ID: 853662c4036730b966aab77684390c47b9738c69
2015-10-29 19:07:18 +11:00
Damien Miller
ac908c1eea turn off PrintLastLog when --disable-lastlog
bz#2278 from Brent Paulson
2015-10-22 09:35:24 +11:00
djm@openbsd.org
6310f60fff upstream commit
Fix expansion of HostkeyAlgorithms=+...

Reported by Bryan Drewery

Upstream-ID: 70ca1deea39d758ba36d36428ae832e28566f78d
2015-08-22 11:17:07 +10:00
deraadt@openbsd.org
1dc8d93ce6 upstream commit
add prohibit-password as a synonymn for without-password,
 since the without-password is causing too many questions.  Harden it to ban
 all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
 djm, ok markus

Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
2015-08-11 18:57:29 +10:00
chris@openbsd.org
3d5728a0f6 upstream commit
Allow PermitRootLogin to be overridden by config

ok markus@ deeradt@

Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4
2015-08-02 19:59:26 +10:00
deraadt@openbsd.org
f4373ed1e8 upstream commit
change default: PermitRootLogin without-password matching
 install script changes coming as well ok djm markus

Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
2015-08-02 19:59:25 +10:00
djm@openbsd.org
f9eca249d4 upstream commit
Allow ssh_config and sshd_config kex parameters options be
 prefixed by a '+' to indicate that the specified items be appended to the
 default rather than replacing it.

approach suggested by dtucker@, feedback dlg@, ok markus@

Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
2015-07-30 12:32:16 +10:00
markus@openbsd.org
3a1638dda1 upstream commit
Turn off DSA by default; add HostKeyAlgorithms to the
 server and PubkeyAcceptedKeyTypes to the client side, so it still can be
 tested or turned back on; feedback and ok djm@

Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
2015-07-15 15:38:02 +10:00
djm@openbsd.org
868109b650 upstream commit
twiddle PermitRootLogin back

Upstream-ID: 2bd23976305d0512e9f84d054e1fc23cd70b89f2
2015-07-15 15:24:09 +10:00
djm@openbsd.org
7de4b03a6e upstream commit
twiddle; (this commit marks the openssh-6.9 release)

Upstream-ID: 78500582819f61dd8adee36ec5cc9b9ac9351234
2015-07-01 12:35:31 +10:00
djm@openbsd.org
47aa7a0f85 upstream commit
put back default PermitRootLogin=no

Upstream-ID: 7bdedd5cead99c57ed5571f3b6b7840922d5f728
2015-07-01 12:29:42 +10:00
djm@openbsd.org
d921082ed6 upstream commit
reset default PermitRootLogin to 'yes' (momentarily, for
 release)

Upstream-ID: cad8513527066e65dd7a1c16363d6903e8cefa24
2015-07-01 11:58:35 +10:00
djm@openbsd.org
d7c31da4d4 upstream commit
add knob to relax GSSAPI host credential check for
 multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker
 (kerberos/GSSAPI is not compiled by default on OpenBSD)

Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
2015-05-22 20:02:17 +10:00
djm@openbsd.org
bcc50d8161 upstream commit
add AuthorizedPrincipalsCommand that allows getting
 authorized_principals from a subprocess rather than a file, which is quite
 useful in deployments with large userbases

feedback and ok markus@

Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
2015-05-21 16:45:46 +10:00
djm@openbsd.org
1f792489d5 upstream commit
Remove pattern length argument from match_pattern_list(), we
 only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@
2015-05-10 11:57:12 +10:00
djm@openbsd.org
9559d7de34 upstream commit
a couple of parse targets were missing activep checks,
 causing them to be misapplied in match context; bz#2272 diagnosis and
 original patch from Sami Hartikainen ok dtucker@
2015-05-10 11:55:36 +10:00
djm@openbsd.org
7e8528cad0 upstream commit
make handling of AuthorizedPrincipalsFile=none more
 consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
2015-05-10 11:54:56 +10:00
djm@openbsd.org
e661a86353 upstream commit
Remove pattern length argument from match_pattern_list(), we
 only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@
2015-05-10 11:38:04 +10:00
dtucker@openbsd.org
531a57a389 upstream commit
Allow ListenAddress, Port and AddressFamily in any
 order.  bz#68, ok djm@, jmc@ (for the man page bit).
2015-04-29 18:20:32 +10:00
djm@openbsd.org
88a7c598a9 upstream commit
Make sshd default to PermitRootLogin=no; ok deraadt@
 rpe@
2015-04-29 18:20:12 +10:00
deraadt@openbsd.org
657a5fbc0d upstream commit
rename xrealloc() to xreallocarray() since it follows
 that form. ok djm
2015-04-29 18:15:23 +10:00
dtucker@openbsd.org
1108ae242f upstream commit
Two small fixes for sshd -T: ListenAddress'es are added
 to a list head so reverse the order when printing them to ensure the
 behaviour remains the same, and print StreamLocalBindMask as octal with
 leading zero.  ok deraadt@
2015-04-29 18:14:36 +10:00