Commit Graph

305 Commits

Author SHA1 Message Date
djm@openbsd.org
40be78f503 upstream: Allow forwarding a different agent socket to the path
specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment variable in addition
to yes/no.

Patch by Eric Chiang, manpage by me; ok markus@

OpenBSD-Commit-ID: 98f2ed80bf34ea54d8b2ddd19ac14ebbf40e9265
2019-12-21 13:22:07 +11:00
dtucker@openbsd.org
68010acbcf upstream: Move always unsupported keywords to be grouped with the other
ones. Move oSecurityProvider to match the order in the OpCodes enum. Patch
from openbsd@academicsolutions.ch, ok djm@

OpenBSD-Commit-ID: 061e4505861ec1e02ba3a63e3d1b3be3cad458ec
2019-12-20 14:47:34 +11:00
dtucker@openbsd.org
8784b02dc4 upstream: Remove obsolete opcodes from the configuation enum.
Patch from openbsd@academicsolutions.ch, ok djm@

OpenBSD-Commit-ID: 395c202228872ce8d9044cc08552ac969f51e01b
2019-12-20 14:25:08 +11:00
dtucker@openbsd.org
345be6091b upstream: Remove now-obsolete config options from example in
comment.  Patch from openbsd@academicsolutions.ch, ok djm@

OpenBSD-Commit-ID: 35862beb0927b1cb0af476ec23cc07f6e3006101
2019-12-20 14:25:08 +11:00
djm@openbsd.org
56584cce75 upstream: allow security keys to act as host keys as well as user
keys.

Previously we didn't do this because we didn't want to expose
the attack surface presented by USB and FIDO protocol handling,
but now that this is insulated behind ssh-sk-helper there is
less risk.

ok markus@

OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
2019-12-16 14:19:41 +11:00
djm@openbsd.org
6bff9521ab upstream: directly support U2F/FIDO2 security keys in OpenSSH by
linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for Bluetooth, NFC
and test/debugging.

OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
2019-11-15 09:57:30 +11:00
deraadt@openbsd.org
40598b85d7 upstream: remove size_t gl_pathc < 0 test, it is invalid. the
return value from glob() is sufficient. discussed with djm

OpenBSD-Commit-ID: c91203322db9caaf7efaf5ae90c794a91070be3c
2019-11-15 08:50:10 +11:00
deraadt@openbsd.org
72687c8e7c upstream: stdarg.h required more broadly; ok djm
OpenBSD-Commit-ID: b5b15674cde1b54d6dbbae8faf30d47e6e5d6513
2019-11-15 08:50:10 +11:00
markus@openbsd.org
2c55744a56 upstream: enable ed25519 support; ok djm
OpenBSD-Commit-ID: 1a399c5b3ef15bd8efb916110cf5a9e0b554ab7e
2019-11-13 08:54:09 +11:00
djm@openbsd.org
884416bdb1 upstream: ssh client support for U2F/FIDO keys
OpenBSD-Commit-ID: eb2cfa6cf7419a1895e06e398ea6d41516c5b0bc
2019-11-01 09:46:09 +11:00
naddy@openbsd.org
91a2135f32 upstream: Allow prepending a list of algorithms to the default set
by starting the list with the '^' character, e.g.

HostKeyAlgorithms ^ssh-ed25519
Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com

ok djm@ dtucker@

OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
2019-09-08 14:49:04 +10:00
djm@openbsd.org
9ab5b94747 upstream: produce a useful error message if the user's shell is set
incorrectly during "match exec" processing. bz#2791 reported by Dario
Bertini; ok dtucker

OpenBSD-Commit-ID: cf9eddd6a6be726cb73bd9c3936f3888cd85c03d
2019-08-09 15:11:30 +10:00
deraadt@openbsd.org
4d28fa78ab upstream: When system calls indicate an error they return -1, not
some arbitrary value < 0.  errno is only updated in this case.  Change all
(most?) callers of syscalls to follow this better, and let's see if this
strictness helps us in the future.

OpenBSD-Commit-ID: 48081f00db7518e3b712a49dca06efc2a5428075
2019-07-05 11:10:39 +10:00
jmc@openbsd.org
7349149da1 upstream: Hostname->HostName cleanup; from lauri tirkkonen ok
dtucker

OpenBSD-Commit-ID: 4ade73629ede63b691f36f9a929f943d4e7a44e4
2019-06-14 13:01:28 +10:00
dtucker@openbsd.org
4b7dd22b02 upstream: Typo and spelling fixes in comments and error messages.
Patch from knweiss at gmail.com via -portable.

OpenBSD-Commit-ID: 2577465442f761a39703762c4f87a8dfcb918b4b
2019-06-08 00:49:26 +10:00
djm@openbsd.org
95a8058c1a upstream: let PKCS11Provider=none do what users expect
print PKCS11Provider instead of obsolete SmartcardDevice in config dump.

bz#2974 ok dtucker@

OpenBSD-Commit-ID: c303d6f0230a33aa2dd92dc9b68843d56a64f846
2019-03-01 13:21:29 +11:00
djm@openbsd.org
9b61130fbd upstream: openssh-7.9 accidentally reused the server's algorithm lists
in the client for KEX, ciphers and MACs. The ciphers and MACs were identical
between the client and server, but the error accidentially disabled the
diffie-hellman-group-exchange-sha1 KEX method.

This fixes the client code to use the correct method list, but
because nobody complained, it also disables the
diffie-hellman-group-exchange-sha1 KEX method.

Reported by nuxi AT vault24.org via bz#2697; ok dtucker

OpenBSD-Commit-ID: e30c33a23c10fd536fefa120e86af1842e33fd57
2019-02-24 10:51:46 +11:00
djm@openbsd.org
9e34e0c59a upstream: add a ssh_config "Match final" predicate
Matches in same pass as "Match canonical" but doesn't require
hostname canonicalisation be enabled. bz#2906 ok markus

OpenBSD-Commit-ID: fba1dfe9f6e0cabcd0e2b3be13f7a434199beffa
2018-11-23 16:09:12 +11:00
djm@openbsd.org
2a35862e66 upstream: use path_absolute() for pathname checks; from Manoj Ampalam
OpenBSD-Commit-ID: 482ce71a5ea5c5f3bc4d00fd719481a6a584d925
2018-11-16 14:37:33 +11:00
naddy@openbsd.org
2581333d56 upstream: Support using service names for port numbers.
* Try to resolve a port specification with getservbyname(3) if a
 numeric conversion fails.
* Make the "Port" option in ssh_config handle its argument as a
 port rather than a plain integer.

ok dtucker@ deraadt@

OpenBSD-Commit-ID: e7f03633133205ab3dfbc67f9df7475fabae660d
2018-10-07 14:58:24 +11:00
djm@openbsd.org
5eff5b858e upstream: Allow ssh_config IdentityAgent directive to accept
environment variable names as well as explicit paths. ok dtucker@

OpenBSD-Commit-ID: 2f0996e103876c53d8c9dd51dcce9889d700767b
2018-10-03 16:39:58 +10:00
djm@openbsd.org
ecac7e1f7a upstream: add CASignatureAlgorithms option for the client, allowing
it to specify which signature algorithms may be used by CAs when signing
certificates. Useful if you want to ban RSA/SHA1; ok markus@

OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f
2018-09-20 14:00:29 +10:00
djm@openbsd.org
1b9dd4aa15 upstream: better diagnosics on alg list assembly errors; ok
deraadt@ markus@

OpenBSD-Commit-ID: 5a557e74b839daf13cc105924d2af06a1560faee
2018-08-13 12:42:13 +10:00
Damien Miller
87f08be054 Remove support for S/Key
Most people will 1) be using modern multi-factor authentication methods
like TOTP/OATH etc and 2) be getting support for multi-factor
authentication via PAM or BSD Auth.
2018-07-31 12:59:30 +10:00
dtucker@openbsd.org
e655ee04a3 upstream: Now that ssh can't be setuid, remove the
original_real_uid and original_effective_uid globals and replace with calls
to plain getuid(). ok djm@

OpenBSD-Commit-ID: 92561c0cd418d34e6841e20ba09160583e27b68c
2018-07-31 12:20:13 +10:00
dtucker@openbsd.org
73ddb25bae upstream: Remove uid checks from low port binds. Now that ssh
cannot be setuid and sshd always has privsep on, we can remove the uid checks
for low port binds and just let the system do the check. We leave a sanity
check for the !privsep case so long as the code is stil there.  with & ok
djm@

OpenBSD-Commit-ID: 9535cfdbd1cd54486fdbedfaee44ce4367ec7ca0
2018-07-31 12:18:49 +10:00
dtucker@openbsd.org
95d41e90ea upstream: Deprecate UsePrivilegedPort now that support for running
ssh(1) setuid has been removed, remove supporting code and clean up
references to it in the man pages

We have not shipped ssh(1) the setuid bit since 2002.  If ayone
really needs to make connections from a low port number this can
be implemented via a small setuid ProxyCommand.

ok markus@ jmc@ djm@

OpenBSD-Commit-ID: d03364610b7123ae4c6792f5274bd147b6de717e
2018-07-19 21:44:21 +10:00
dtucker@openbsd.org
258dc8bb07 upstream: Remove support for running ssh(1) setuid and fatal if
attempted. Do not link uidwap.c into ssh any more.  Neuters
UsePrivilegedPort, which will be marked as deprecated shortly. ok markus@
djm@

OpenBSD-Commit-ID: c4ba5bf9c096f57a6ed15b713a1d7e9e2e373c42
2018-07-19 21:41:42 +10:00
djm@openbsd.org
312d2f2861 upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA
signature work - returns ability to add/remove/specify algorithms by
wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
2018-07-04 23:51:52 +10:00
djm@openbsd.org
89a85d7247 upstream: unbreak SendEnv; patch from tb@
OpenBSD-Commit-ID: fc808daced813242563b80976e1478de95940056
2018-06-11 09:50:06 +10:00
djm@openbsd.org
7082bb58a2 upstream: add a SetEnv directive to ssh_config that allows setting
environment variables for the remote session (subject to the server accepting
them)

refactor SendEnv to remove the arbitrary limit of variable names.

ok markus@

OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
2018-06-09 13:11:00 +10:00
markus@openbsd.org
7f90635216 upstream: switch config file parsing to getline(3) as this avoids
static limits noted by gerhard@; ok dtucker@, djm@

OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c
2018-06-07 04:34:05 +10:00
djm@openbsd.org
9c935dd9bf upstream: make UID available as a %-expansion everywhere that the
username is available currently. In the client this is via %i, in the server
%U (since %i was already used in the client in some places for this, but used
for something different in the server); bz#2870, ok dtucker@

OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
2018-06-01 13:35:59 +10:00
djm@openbsd.org
4b22fd8ece upstream: support ProxyJump=none to disable ProxyJump
functionality; bz#2869 ok dtucker@

OpenBSD-Commit-ID: 1c06ee08eb78451b5837fcfd8cbebc5ff3a67a01
2018-05-22 10:15:18 +10:00
djm@openbsd.org
555294a727 upstream: Allow "SendEnv -PATTERN" to clear environment variables
previously labeled for sendind. bz#1285 ok dtucker@

OpenBSD-Commit-ID: f6fec9e3d0f366f15903094fbe1754cb359a0df9
2018-04-06 23:15:29 +10:00
djm@openbsd.org
30fd7f9af0 upstream: add a couple of missed options to the config dump; patch
from Jakub Jelen via bz2835

OpenBSD-Commit-ID: 5970adadf6ef206bee0dddfc75d24c2019861446
2018-04-06 14:20:33 +10:00
job@openbsd.org
5ee8448ad7 upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for
interactive and CS1 for bulk

AF21 was selected as this is the highest priority within the low-latency
service class (and it is higher than what we have today). SSH is elastic
and time-sensitive data, where a user is waiting for a response via the
network in order to continue with a task at hand. As such, these flows
should be considered foreground traffic, with delays or drops to such
traffic directly impacting user-productivity.

For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable
networks implementing a scavanger/lower-than-best effort class to
discriminate scp(1) below normal activities, such as web surfing. In
general this type of bulk SSH traffic is a background activity.

An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH
is that they are recognisable values on all common platforms (IANA
https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and
for AF21 specifically a definition of the intended behavior exists
https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition
of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and
for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662

The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE
802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate",
or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e,
MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK").

OK deraadt@, "no objection" djm@

OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
2018-04-06 14:20:33 +10:00
markus@openbsd.org
1b11ea7c58 upstream: Add experimental support for PQC XMSS keys (Extended
Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS
in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See
https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok
djm@

OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
2018-02-26 11:40:41 +11:00
djm@openbsd.org
ac2e3026bb upstream: Add BindInterface ssh_config directive and -B
command-line argument to ssh(1) that directs it to bind its outgoing
connection to the address of the specified network interface.

BindInterface prefers to use addresses that aren't loopback or link-
local, but will fall back to those if no other addresses of the
required family are available on that interface.

Based on patch by Mike Manning in bz#2820, ok dtucker@

OpenBSD-Commit-ID: c5064d285c2851f773dd736a2c342aa384fbf713
2018-02-23 13:37:49 +11:00
dtucker@openbsd.org
609d96b3d5 upstream commit
Replace atoi and strtol conversions for integer arguments
to config keywords with a checking wrapper around strtonum.  This will
prevent and flag invalid and negative arguments to these keywords.  ok djm@

OpenBSD-Commit-ID: 99ae3981f3d608a219ccb8d2fff635ae52c17998
2017-12-07 11:49:00 +11:00
millert@openbsd.org
887669ef03 upstream commit
Add URI support to ssh, sftp and scp.  For example
ssh://user@host or sftp://user@host/path.  The connection parameters
described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since
the ssh fingerprint format in the draft uses md5 with no way to specify the
hash function type.  OK djm@

Upstream-ID: 4ba3768b662d6722de59e6ecb00abf2d4bf9cacc
2017-10-23 16:10:08 +11:00
markus@openbsd.org
609d7a66ce upstream commit
Add 'reverse' dynamic forwarding which combines dynamic
forwarding (-D) with remote forwarding (-R) where the remote-forwarded port
expects SOCKS-requests.

The SSH server code is unchanged and the parsing happens at the SSH
clients side. Thus the full SOCKS-request is sent over the forwarded
channel and the client parses c->output. Parsing happens in
channel_before_prepare_select(), _before_ the select bitmask is
computed in the pre[] handlers, but after network input processing
in the post[] handlers.

help and ok djm@

Upstream-ID: aa25a6a3851064f34fe719e0bf15656ad5a64b89
2017-09-22 09:14:53 +10:00
djm@openbsd.org
22376d27a3 upstream commit
Expand ssh_config's StrictModes option with two new
settings:

StrictModes=accept-new will automatically accept hitherto-unseen keys
but will refuse connections for changed or invalid hostkeys.

StrictModes=off is the same as StrictModes=no

Motivation:

StrictModes=no combines two behaviours for host key processing:
automatically learning new hostkeys and continuing to connect to hosts
with invalid/changed hostkeys. The latter behaviour is quite dangerous
since it removes most of the protections the SSH protocol is supposed to
provide.

Quite a few users want to automatically learn hostkeys however, so
this makes that feature available with less danger.

At some point in the future, StrictModes=no will change to be a synonym
for accept-new, with its current behaviour remaining available via
StrictModes=off.

bz#2400, suggested by Michael Samuel; ok markus

Upstream-ID: 0f55502bf75fc93a74fb9853264a8276b9680b64
2017-09-04 09:38:57 +10:00
bluhm@openbsd.org
1112b534a6 upstream commit
Add RemoteCommand option to specify a command in the
ssh config file instead of giving it on the client's command line.  This
command will be executed on the remote host.  The feature allows to automate
tasks using ssh config. OK markus@

Upstream-ID: 5d982fc17adea373a9c68cae1021ce0a0904a5ee
2017-05-31 10:51:09 +10:00
djm@openbsd.org
947a3e829a upstream commit
there's no reason to artificially limit the key path
here, just check that it fits PATH_MAX; spotted by Matthew Patton

Upstream-ID: 858addaf2009c9cf04d80164a41b2088edb30b58
2017-05-20 14:30:14 +10:00
djm@openbsd.org
788ac799a6 upstream commit
remove SSHv1 configuration options and man pages bits

ok markus@

Upstream-ID: 84638c23546c056727b7a7d653c72574e0f19424
2017-05-01 10:05:00 +10:00
djm@openbsd.org
cdccebdf85 upstream commit
remove SSHv1 ciphers; ok markus@

Upstream-ID: e5ebc5e540d7f23a8c1266db1839794d4d177890
2017-05-01 10:04:58 +10:00
djm@openbsd.org
99f95ba826 upstream commit
remove options.protocol and client Protocol
configuration knob

ok markus@

Upstream-ID: 5a967f5d06e2d004b0235457b6de3a9a314e9366
2017-05-01 09:38:46 +10:00
djm@openbsd.org
56912dea6e upstream commit
unifdef WITH_SSH1 ok markus@

Upstream-ID: 9716e62a883ef8826c57f4d33b4a81a9cc7755c7
2017-05-01 09:37:40 +10:00
dtucker@openbsd.org
68d3a2a059 upstream commit
Add SyslogFacility option to ssh(1) matching the
equivalent option in sshd(8).  bz#2705, patch from erahn at arista.com, ok
djm@

Upstream-ID: d5115c2c0193ceb056ed857813b2a7222abda9ed
2017-04-28 13:26:36 +10:00