Commit Graph

317 Commits

Author SHA1 Message Date
djm@openbsd.org
acf559e1cf upstream commit
Add optional rdomain qualifier to sshd_config's
ListenAddress option to allow listening on a different rdomain(4), e.g.

ListenAddress 0.0.0.0 rdomain 4

Upstream-ID: 24b6622c376feeed9e9be8b9605e593695ac9091
2017-10-25 12:26:06 +11:00
djm@openbsd.org
dceabc7ad7 upstream commit
replace statically-sized arrays in ServerOptions with
dynamic ones managed by xrecallocarray, removing some arbitrary (though
large) limits and saving a bit of memory; "much nicer" markus@

Upstream-ID: 1732720b2f478fe929d6687ac7b0a97ff2efe9d2
2017-10-20 12:01:02 +11:00
djm@openbsd.org
69bda02288 upstream commit
fix (another) problem in PermitOpen introduced during the
channels.c refactor: the third and subsequent arguments to PermitOpen were
being silently ignored; ok markus@

Upstream-ID: 067c89f1f53cbc381628012ba776d6861e6782fd
2017-10-05 05:51:12 +11:00
djm@openbsd.org
66bf74a921 upstream commit
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@

Upstream-ID: c2cc84ffac070d2e1ff76182c70ca230a387983c
2017-10-03 06:34:26 +11:00
dtucker@openbsd.org
30484e5e5f upstream commit
Add braces missing after channels refactor.  ok markus@

Upstream-ID: 72ab325c84e010680dbc88f226e2aa96b11a3980
2017-09-19 14:26:43 +10:00
djm@openbsd.org
dbee4119b5 upstream commit
refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
2017-09-12 17:37:02 +10:00
djm@openbsd.org
8f57495927 upstream commit
refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
2017-06-24 16:56:11 +10:00
djm@openbsd.org
54cd41a466 upstream commit
allow LogLevel in sshd_config Match blocks; ok dtucker
bz#2717

Upstream-ID: 662e303be63148f47db1aa78ab81c5c2e732baa8
2017-05-17 11:25:22 +10:00
jsg@openbsd.org
e13aad66e7 upstream commit
remove a static array unused since rev 1.306 spotted by
clang ok djm@

Upstream-ID: 249b3eed2446f6074ba2219ccc46919dd235a7b8
2017-04-28 13:26:36 +10:00
djm@openbsd.org
66705948c0 upstream commit
Mark the sshd_config UsePrivilegeSeparation option as
deprecated, effectively making privsep mandatory in sandboxing mode. ok
markus@ deraadt@

(note: this doesn't remove the !privsep code paths, though that will
happen eventually).

Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
2017-03-15 11:09:18 +11:00
dtucker@openbsd.org
67eed24bfa upstream commit
Remove old null check from config dumper.  Patch from
jjelen at redhat.com vi bz#2687, ok djm@

Upstream-ID: 824ab71467b78c4bab0dd1b3a38e8bc5f63dd528
2017-03-10 15:35:39 +11:00
djm@openbsd.org
68bc8cfa76 upstream commit
support =- for removing methods from algorithms lists,
e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
it" markus@

Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
2017-02-04 10:08:15 +11:00
djm@openbsd.org
c924b2ef94 upstream commit
allow form-feed characters at EOL; bz#2431 ok dtucker@

Upstream-ID: 1f453afaba6da2ae69d6afdf1ae79a917552f1a2
2017-02-03 16:07:27 +11:00
djm@openbsd.org
13bd2e2d62 upstream commit
sshd_config is documented to set
GSSAPIStrictAcceptorCheck=yes by default, so actually make it do this.
bz#2637 ok dtucker

Upstream-ID: 99ef8ac51f17f0f7aec166cb2e34228d4d72a665
2017-01-30 11:05:18 +11:00
djm@openbsd.org
7844f357cd upstream commit
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.

This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@

Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
2016-11-30 19:44:01 +11:00
markus@openbsd.org
f0ddedee46 upstream commit
allow ClientAlive{Interval,CountMax} in Match; ok dtucker,
djm

Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55
2016-11-24 16:07:26 +11:00
djm@openbsd.org
010359b326 upstream commit
Validate address ranges for AllowUser/DenyUsers at
configuration load time and refuse to accept bad ones. It was previously
possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and
these would always match.

Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)

Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb
2016-11-06 16:48:29 +11:00
dtucker@openbsd.org
a903e315de upstream commit
Remove dead breaks, found via opencoverage.net.  ok
deraadt@

Upstream-ID: ad9cc655829d67fad219762810770787ba913069
2016-10-26 08:52:46 +11:00
djm@openbsd.org
4577adead6 upstream commit
restore pre-auth compression support in the client -- the
previous commit was intended to remove it from the server only.

remove a few server-side pre-auth compression bits that escaped

adjust wording of Compression directive in sshd_config(5)

pointed out by naddy@ ok markus@

Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
2016-09-29 06:54:50 +10:00
djm@openbsd.org
0082fba4ef upstream commit
Remove support for pre-authentication compression. Doing
compression early in the protocol probably seemed reasonable in the 1990s,
but today it's clearly a bad idea in terms of both cryptography (cf. multiple
compression oracle attacks in TLS) and attack surface.

Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.

Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@

NB. pre-auth authentication has been disabled by default in sshd
for >10 years.

Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
2016-09-29 03:11:32 +10:00
djm@openbsd.org
ae363d74cc upstream commit
add a sIgnore opcode that silently ignores options and
use it to suppress noisy deprecation warnings for the Protocol directive.

req henning, ok markus

Upstream-ID: 9fe040aca3d6ff393f6f7e60045cdd821dc4cbe0
2016-08-29 11:20:28 +10:00
djm@openbsd.org
83b581862a upstream commit
remove UseLogin option and support for having /bin/login
manage login sessions; ok deraadt markus dtucker

Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
2016-08-23 14:29:07 +10:00
naddy@openbsd.org
c38ea63489 upstream commit
Remove more SSH1 server code: * Drop sshd's -k option. *
Retire configuration keywords that only apply to protocol 1, as well as   the
"protocol" keyword. * Remove some related vestiges of protocol 1 support.

ok markus@

Upstream-ID: 9402f82886de917779db12f8ee3f03d4decc244d
2016-08-23 13:28:30 +10:00
djm@openbsd.org
46ecd19e55 upstream commit
fix AuthenticationMethods during configuration re-parse;
reported by Juan Francisco Cantero Hurtado

Upstream-ID: 8ffa1dac25c7577eca8238e825317ab20848f9b4
2016-06-24 13:35:28 +10:00
djm@openbsd.org
b64faeb5ed upstream commit
ban AuthenticationMethods="" and accept
AuthenticationMethods=any for the default behaviour of not requiring multiple
authentication

bz#2398 from Jakub Jelen; ok dtucker@

Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27
2016-06-24 13:35:28 +10:00
dtucker@openbsd.org
9faae50e2e upstream commit
Fix inverted logic for updating StreamLocalBindMask which
 would cause the server to set an invalid mask. ok djm@

Upstream-ID: 8a4404c8307a5ef9e07ee2169fc6d8106b527587
2016-05-05 00:10:03 +10:00
djm@openbsd.org
cfefbcea10 upstream commit
fix overriding of StreamLocalBindMask and
 StreamLocalBindUnlink in Match blocks; found the hard way Rogan Dawes

Upstream-ID: 940bc69ec0249ab428d24ccd0722ce35cb932ee2
2016-05-04 01:58:46 +10:00
djm@openbsd.org
771c2f51ff upstream commit
don't forget to include StreamLocalBindUnlink in the
 config dump output

Upstream-ID: 14a6d970b3b45c8e94272e3c661e9a0b2a0ee7cb
2016-05-04 01:58:46 +10:00
djm@openbsd.org
1a31d02b24 upstream commit
fix signed/unsigned errors reported by clang-3.7; add
 sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with
 better safety checking; feedback and ok markus@

Upstream-ID: 71f926d9bb3f1efed51319a6daf37e93d57c8820
2016-05-02 20:35:04 +10:00
djm@openbsd.org
95767262ca upstream commit
refactor canohost.c: move functions that cache results closer
 to the places that use them (authn and session code). After this, no state is
 cached in canohost.c

feedback and ok markus@

Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
2016-03-08 06:20:35 +11:00
Darren Tucker
fd4e4f2416 Skip PrintLastLog in config dump mode.
When DISABLE_LASTLOG is set, do not try to include PrintLastLog in the
config dump since it'll be reported as UNKNOWN.
2016-02-24 10:44:25 +11:00
djm@openbsd.org
c5c3f3279a upstream commit
make sandboxed privilege separation the default, not just
 for new installs; "absolutely" deraadt@

Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b
2016-02-17 16:37:56 +11:00
dtucker@openbsd.org
921ff00b0a upstream commit
Allow RekeyLimits in excess of 4G up to 2**63 bits
 (limited by the return type of scan_scaled).  Part of bz#2521, ok djm.

Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
2016-01-30 11:19:13 +11:00
djm@openbsd.org
9fd04681a1 upstream commit
Support "none" as an argument for sshd_config
 ForceCommand and ChrootDirectory. Useful inside Match blocks to override a
 global default. bz#2486 ok dtucker@

Upstream-ID: 7ef478d6592bc7db5c7376fc33b4443e63dccfa5
2015-11-16 11:31:37 +11:00
djm@openbsd.org
ed08510d38 upstream commit
Fix "PubkeyAcceptedKeyTypes +..." inside a Match block;
 ok dtucker@

Upstream-ID: 853662c4036730b966aab77684390c47b9738c69
2015-10-29 19:07:18 +11:00
Damien Miller
ac908c1eea turn off PrintLastLog when --disable-lastlog
bz#2278 from Brent Paulson
2015-10-22 09:35:24 +11:00
djm@openbsd.org
6310f60fff upstream commit
Fix expansion of HostkeyAlgorithms=+...

Reported by Bryan Drewery

Upstream-ID: 70ca1deea39d758ba36d36428ae832e28566f78d
2015-08-22 11:17:07 +10:00
deraadt@openbsd.org
1dc8d93ce6 upstream commit
add prohibit-password as a synonymn for without-password,
 since the without-password is causing too many questions.  Harden it to ban
 all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
 djm, ok markus

Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
2015-08-11 18:57:29 +10:00
chris@openbsd.org
3d5728a0f6 upstream commit
Allow PermitRootLogin to be overridden by config

ok markus@ deeradt@

Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4
2015-08-02 19:59:26 +10:00
deraadt@openbsd.org
f4373ed1e8 upstream commit
change default: PermitRootLogin without-password matching
 install script changes coming as well ok djm markus

Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
2015-08-02 19:59:25 +10:00
djm@openbsd.org
f9eca249d4 upstream commit
Allow ssh_config and sshd_config kex parameters options be
 prefixed by a '+' to indicate that the specified items be appended to the
 default rather than replacing it.

approach suggested by dtucker@, feedback dlg@, ok markus@

Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
2015-07-30 12:32:16 +10:00
markus@openbsd.org
3a1638dda1 upstream commit
Turn off DSA by default; add HostKeyAlgorithms to the
 server and PubkeyAcceptedKeyTypes to the client side, so it still can be
 tested or turned back on; feedback and ok djm@

Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
2015-07-15 15:38:02 +10:00
djm@openbsd.org
868109b650 upstream commit
twiddle PermitRootLogin back

Upstream-ID: 2bd23976305d0512e9f84d054e1fc23cd70b89f2
2015-07-15 15:24:09 +10:00
djm@openbsd.org
7de4b03a6e upstream commit
twiddle; (this commit marks the openssh-6.9 release)

Upstream-ID: 78500582819f61dd8adee36ec5cc9b9ac9351234
2015-07-01 12:35:31 +10:00
djm@openbsd.org
47aa7a0f85 upstream commit
put back default PermitRootLogin=no

Upstream-ID: 7bdedd5cead99c57ed5571f3b6b7840922d5f728
2015-07-01 12:29:42 +10:00
djm@openbsd.org
d921082ed6 upstream commit
reset default PermitRootLogin to 'yes' (momentarily, for
 release)

Upstream-ID: cad8513527066e65dd7a1c16363d6903e8cefa24
2015-07-01 11:58:35 +10:00
djm@openbsd.org
d7c31da4d4 upstream commit
add knob to relax GSSAPI host credential check for
 multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker
 (kerberos/GSSAPI is not compiled by default on OpenBSD)

Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
2015-05-22 20:02:17 +10:00
djm@openbsd.org
bcc50d8161 upstream commit
add AuthorizedPrincipalsCommand that allows getting
 authorized_principals from a subprocess rather than a file, which is quite
 useful in deployments with large userbases

feedback and ok markus@

Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
2015-05-21 16:45:46 +10:00
djm@openbsd.org
1f792489d5 upstream commit
Remove pattern length argument from match_pattern_list(), we
 only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@
2015-05-10 11:57:12 +10:00
djm@openbsd.org
9559d7de34 upstream commit
a couple of parse targets were missing activep checks,
 causing them to be misapplied in match context; bz#2272 diagnosis and
 original patch from Sami Hartikainen ok dtucker@
2015-05-10 11:55:36 +10:00