Commit Graph

245 Commits

Author SHA1 Message Date
djm@openbsd.org
b9844a45c7 upstream commit
Fix public key authentication when multiple
authentication is in use. Instead of deleting and re-preparing the entire
keys list, just reset the 'used' flags; the keys list is already in a good
order (with already- tried keys at the back)

Analysis and patch from Vincent Brillault on bz#2642; ok dtucker@

Upstream-ID: 7123f12dc2f3bcaae715853035a97923d7300176
2016-12-05 17:24:42 +11:00
djm@openbsd.org
4577adead6 upstream commit
restore pre-auth compression support in the client -- the
previous commit was intended to remove it from the server only.

remove a few server-side pre-auth compression bits that escaped

adjust wording of Compression directive in sshd_config(5)

pointed out by naddy@ ok markus@

Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
2016-09-29 06:54:50 +10:00
djm@openbsd.org
0082fba4ef upstream commit
Remove support for pre-authentication compression. Doing
compression early in the protocol probably seemed reasonable in the 1990s,
but today it's clearly a bad idea in terms of both cryptography (cf. multiple
compression oracle attacks in TLS) and attack surface.

Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.

Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@

NB. pre-auth authentication has been disabled by default in sshd
for >10 years.

Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
2016-09-29 03:11:32 +10:00
dtucker@openbsd.org
f31c654b30 upstream commit
If ssh receives a PACKET_DISCONNECT during userauth it
will cause ssh_dispatch_run(DISPATCH_BLOCK, ...) to return without the
session being authenticated.  Check for this and exit if necessary.  ok djm@

Upstream-ID: b3afe126c0839d2eae6cddd41ff2ba317eda0903
2016-09-24 05:38:04 +10:00
dtucker@openbsd.org
83cbca693c upstream commit
Lower loglevel for "Authenticated with partial success"
message similar to other similar level.  bz#2599, patch from cgallek at
gmail.com, ok markus@

Upstream-ID: 3faab814e947dc7b2e292edede23e94c608cb4dd
2016-07-23 13:24:20 +10:00
djm@openbsd.org
65c6c6b567 upstream commit
support UTF-8 characters in ssh(1) banners using
schwarze@'s safe fmprintf printer; bz#2058

feedback schwarze@ ok dtucker@

Upstream-ID: a72ce4e3644c957643c9524eea2959e41b91eea7
2016-07-17 14:21:38 +10:00
dtucker@openbsd.org
8c02e3639a upstream commit
KNF compression proposal and simplify the client side a
 little.  ok djm@

Upstream-ID: aa814b694efe9e5af8a26e4c80a05526ae6d6605
2016-06-06 11:25:38 +10:00
djm@openbsd.org
82f24c3ddc upstream commit
prefer agent-hosted keys to keys from PKCS#11; ok markus

Upstream-ID: 7417f7653d58d6306d9f8c08d0263d050e2fd8f4
2016-06-06 11:25:37 +10:00
djm@openbsd.org
0e8eeec8e7 upstream commit
add support for additional fixed DH groups from
 draft-ietf-curdle-ssh-kex-sha2-03

diffie-hellman-group14-sha256 (2K group)
diffie-hellman-group16-sha512 (4K group)
diffie-hellman-group18-sha512 (8K group)

based on patch from Mark D. Baushke and Darren Tucker
ok markus@

Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
2016-05-02 20:39:32 +10:00
djm@openbsd.org
1a31d02b24 upstream commit
fix signed/unsigned errors reported by clang-3.7; add
 sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with
 better safety checking; feedback and ok markus@

Upstream-ID: 71f926d9bb3f1efed51319a6daf37e93d57c8820
2016-05-02 20:35:04 +10:00
djm@openbsd.org
9ee692fa11 upstream commit
fix comment

Upstream-ID: 313a385bd7b69a82f8e28ecbaf5789c774457b15
2016-04-29 18:09:02 +10:00
djm@openbsd.org
c38905ba39 upstream commit
unbreak authentication using lone certificate keys in
 ssh-agent: when attempting pubkey auth with a certificate, if no separate
 private key is found among the keys then try with the certificate key itself.

bz#2550 reported by Peter Moody

Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966
2016-03-15 03:23:46 +11:00
djm@openbsd.org
0d1451a32c upstream commit
fix spurious error message when incorrect passphrase
 entered for keys; reported by espie@ ok deraadt@

Upstream-ID: 58b2e46e63ed6912ed1ee780bd3bd8560f9a5899
2016-02-23 12:44:20 +11:00
jsg@openbsd.org
56d7dac790 upstream commit
avoid an uninitialised value when NumberOfPasswordPrompts
 is 0 ok markus@ djm@

Upstream-ID: 11b068d83c2865343aeb46acf1e9eec00f829b6b
2016-02-08 21:58:30 +11:00
markus@openbsd.org
fc77ccdc2c upstream commit
fd leaks; report Qualys Security Advisory team; ok
 deraadt@

Upstream-ID: 4ec0f12b9d8fa202293c9effa115464185aa071d
2016-01-27 16:54:10 +11:00
markus@openbsd.org
a306863831 upstream commit
remove roaming support; ok djm@

Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
2016-01-27 16:54:10 +11:00
mmcc@openbsd.org
89540b6de0 upstream commit
Remove NULL-checks before sshkey_free().

ok djm@

Upstream-ID: 3e35afe8a25e021216696b5d6cde7f5d2e5e3f52
2015-12-18 14:49:32 +11:00
djm@openbsd.org
39736be06c upstream commit
correct error messages; from Tomas Kuthan bz#2507

Upstream-ID: 7454a0affeab772398052954c79300aa82077093
2015-12-11 13:23:14 +11:00
mmcc@openbsd.org
94141b7ade upstream commit
Pass (char *)NULL rather than (char *)0 to execl and
 execlp.

ok dtucker@

Upstream-ID: 56c955106cbddba86c3dd9bbf786ac0d1b361492
2015-12-11 13:23:14 +11:00
mmcc@openbsd.org
d59ce08811 upstream commit
Remove NULL-checks before free().

ok dtucker@

Upstream-ID: e3d3cb1ce900179906af36517b5eea0fb15e6ef8
2015-12-11 13:23:14 +11:00
markus@openbsd.org
76c9fbbe35 upstream commit
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
 (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
 draft-ssh-ext-info-04.txt; with & ok djm@

Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
2015-12-07 12:38:58 +11:00
djm@openbsd.org
6064a8b829 upstream commit
clean up agent_fd handling; properly initialise it to -1
 and make tests consistent

ok markus@

Upstream-ID: ac9554323d5065745caf17b5e37cb0f0d4825707
2015-12-04 15:15:00 +11:00
jcs@openbsd.org
f361df474c upstream commit
Add an AddKeysToAgent client option which can be set to
 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'.  When enabled, a
 private key that is used during authentication will be added to ssh-agent if
 it is running (with confirmation enabled if set to 'confirm').

Initial version from Joachim Schipper many years ago.

ok markus@

Upstream-ID: a680db2248e8064ec55f8be72d539458c987d5f4
2015-11-16 11:31:39 +11:00
djm@openbsd.org
e679c09cd1 upstream commit
apply PubkeyAcceptedKeyTypes filtering earlier, so all
 skipped keys are noted before pubkey authentication starts. ok dtucker@

Upstream-ID: ba4f52f54268a421a2a5f98bb375403f4cb044b8
2015-10-14 03:22:09 +11:00
djm@openbsd.org
4e44a79a07 upstream commit
add ssh_config CertificateFile option to explicitly list
 a certificate; patch from Meghana Bhat on bz#2436; ok markus@

Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
2015-10-06 12:21:54 +11:00
djm@openbsd.org
f9eca249d4 upstream commit
Allow ssh_config and sshd_config kex parameters options be
 prefixed by a '+' to indicate that the specified items be appended to the
 default rather than replacing it.

approach suggested by dtucker@, feedback dlg@, ok markus@

Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
2015-07-30 12:32:16 +10:00
markus@openbsd.org
3a1638dda1 upstream commit
Turn off DSA by default; add HostKeyAlgorithms to the
 server and PubkeyAcceptedKeyTypes to the client side, so it still can be
 tested or turned back on; feedback and ok djm@

Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
2015-07-15 15:38:02 +10:00
djm@openbsd.org
e661a86353 upstream commit
Remove pattern length argument from match_pattern_list(), we
 only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@
2015-05-10 11:38:04 +10:00
Darren Tucker
f2004cd1ad Repair for non-ECC OpenSSL.
Ifdef out the ECC parts when building with an OpenSSL that doesn't have
it.
2015-02-23 05:04:21 +11:00
djm@openbsd.org
46347ed596 upstream commit
Add a ssh_config HostbasedKeyType option to control which
 host public key types are tried during hostbased authentication.

This may be used to prevent too many keys being sent to the server,
and blowing past its MaxAuthTries limit.

bz#2211 based on patch by Iain Morgan; ok markus@
2015-01-30 22:47:01 +11:00
djm@openbsd.org
9ce86c926d upstream commit
update to new API (key_fingerprint => sshkey_fingerprint)
 check sshkey_fingerprint return values; ok markus
2015-01-29 10:18:56 +11:00
markus@openbsd.org
57e783c8ba upstream commit
kex_setup errors are fatal()
2015-01-26 23:53:56 +11:00
djm@openbsd.org
12b5f50777 upstream commit
make this compile with KERBEROS5 enabled
2015-01-20 18:58:37 +11:00
markus@openbsd.org
57d10cbe86 upstream commit
adapt kex to sshbuf and struct ssh; ok djm@
2015-01-20 09:19:39 +11:00
markus@openbsd.org
3fdc88a0de upstream commit
move dispatch to struct ssh; ok djm@
2015-01-20 09:14:16 +11:00
markus@openbsd.org
091c302829 upstream commit
update packet.c & isolate, introduce struct ssh a) switch
 packet.c to buffer api and isolate per-connection info into struct ssh b)
 (de)serialization of the state is moved from monitor to packet.c c) the old
 packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and
 integrated into packet.c with and ok djm@
2015-01-20 09:13:01 +11:00
djm@openbsd.org
35d6022b55 upstream commit
avoid trailing ',' in host key algorithms
2015-01-20 00:20:00 +11:00
djm@openbsd.org
f14564c1f7 upstream commit
fix regression reported by brad@ for passworded keys without
 agent present
2015-01-15 22:08:56 +11:00
djm@openbsd.org
141efe4954 upstream commit
move authfd.c and its tentacles to the new buffer/key
 API; ok markus@
2015-01-15 21:37:34 +11:00
djm@openbsd.org
1195f4cb07 upstream commit
deprecate key_load_private_pem() and
 sshkey_load_private_pem() interfaces. Refactor the generic key loading API to
 not require pathnames to be specified (they weren't really used).

Fixes a few other things en passant:

Makes ed25519 keys work for hostbased authentication (ssh-keysign
previously used the PEM-only routines).

Fixes key comment regression bz#2306: key pathnames were being lost as
comment fields.

ok markus@
2015-01-09 00:17:12 +11:00
djm@openbsd.org
56d1c83cdd upstream commit
Add FingerprintHash option to control algorithm used for
 key fingerprints. Default changes from MD5 to SHA256 and format from hex to
 base64.

Feedback and ok naddy@ markus@
2014-12-22 09:32:29 +11:00
djm@openbsd.org
17bf3d81e0 upstream commit
show in debug output which hostkeys are being tried when
 attempting hostbased auth; patch from Iain Morgan
2014-12-11 19:17:25 +11:00
Damien Miller
7acefbbcbe - millert@cvs.openbsd.org 2014/07/15 15:54:14
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
     [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
     [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
     [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
     [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
     [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
     [sshd_config.5 sshlogin.c]
     Add support for Unix domain socket forwarding.  A remote TCP port
     may be forwarded to a local Unix domain socket and vice versa or
     both ends may be a Unix domain socket.  This is a reimplementation
     of the streamlocal patches by William Ahern from:
         http://www.25thandclement.com/~william/projects/streamlocal.html
     OK djm@ markus@
2014-07-18 14:11:24 +10:00
Damien Miller
8668706d0f - djm@cvs.openbsd.org 2014/06/24 01:13:21
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
     [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
     [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
     [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
     [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
     [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
     [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
     [sshconnect2.c sshd.c sshkey.c sshkey.h
     [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
     New key API: refactor key-related functions to be more library-like,
     existing API is offered as a set of wrappers.

     with and ok markus@

     Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
     Dempsky and Ron Bowes for a detailed review a few months ago.

     NB. This commit also removes portable OpenSSH support for OpenSSL
     <0.9.8e.
2014-07-02 15:28:02 +10:00
Darren Tucker
9f92c53bad - djm@cvs.openbsd.org 2014/06/05 22:17:50
[sshconnect2.c]
     fix inverted test that caused PKCS#11 keys that were explicitly listed
     not to be preferred. Reported by Dirk-Willem van Gulik
2014-06-11 07:57:58 +10:00
Damien Miller
1f0311c7c7 - markus@cvs.openbsd.org 2014/04/29 18:01:49
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
     [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
     [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
     [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
     make compiling against OpenSSL optional (make OPENSSL=no);
     reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
     allows us to explore further options; with and ok djm
2014-05-15 14:24:09 +10:00
Damien Miller
9395b28223 - djm@cvs.openbsd.org 2014/04/18 23:52:25
[compat.c compat.h sshconnect2.c sshd.c version.h]
     OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
     using the curve25519-sha256@libssh.org KEX exchange method to fail
     when connecting with something that implements the spec properly.

     Disable this KEX method when speaking to one of the affected
     versions.

     reported by Aris Adamantiadis; ok markus@
2014-04-20 13:25:30 +10:00
Damien Miller
9235a030ad Three commits in one (since they touch the same heavily-diverged file
repeatedly):

   - markus@cvs.openbsd.org 2014/03/25 09:40:03
     [myproposal.h]
     trimm default proposals.

     This commit removes the weaker pre-SHA2 hashes, the broken ciphers
     (arcfour), and the broken modes (CBC) from the default configuration
     (the patch only changes the default, all the modes are still available
     for the config files).

     ok djm@, reminded by tedu@ & naddy@ and discussed with many
   - deraadt@cvs.openbsd.org 2014/03/26 17:16:26
     [myproposal.h]
     The current sharing of myproposal[] between both client and server code
     makes the previous diff highly unpallatable.  We want to go in that
     direction for the server, but not for the client.  Sigh.
     Brought up by naddy.
   - markus@cvs.openbsd.org 2014/03/27 23:01:27
     [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
     disable weak proposals in sshd, but keep them in ssh; ok djm@
2014-04-20 13:17:20 +10:00
Damien Miller
a5103f413b - djm@cvs.openbsd.org 2014/02/02 03:44:32
[auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c]
     [buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c]
     [kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c]
     [monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c]
     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c]
     [ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c]
     [sshd.c]
     convert memset of potentially-private data to explicit_bzero()
2014-02-04 11:20:14 +11:00
Damien Miller
1d2c456426 - tedu@cvs.openbsd.org 2014/01/31 16:39:19
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
     [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
     [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
     [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
     [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
     replace most bzero with explicit_bzero, except a few that cna be memset
     ok djm dtucker
2014-02-04 11:18:20 +11:00