Commit Graph

11647 Commits

Author SHA1 Message Date
djm@openbsd.org
9acddcd591 upstream: add a variant of send_status() that allows overriding the
default, generic error message. feedback/ok markus & jsg

OpenBSD-Commit-ID: 81f251e975d759994131b717ee7c0b439659c40f
2022-01-08 18:38:49 +11:00
djm@openbsd.org
9614113377 upstream: refactor tilde_expand_filename() and make it handle ~user
paths with no trailing slash; feedback/ok markus and jsg

OpenBSD-Commit-ID: a2ab365598a902f0f14ba6a4f8fb2d07a9b5d51d
2022-01-08 18:38:49 +11:00
dtucker@openbsd.org
dc38236ab6 upstream: Don't explicitly set HostbasedAuthentication in
sshd_config. It defaults to "no", and not explicitly setting it allows us to
enable it for the (optional) hostbased test.

OpenBSD-Regress-ID: aa8e3548eb5793721641d26e56c29f363b767c0c
2022-01-07 09:50:07 +11:00
dtucker@openbsd.org
e12d912ddf upstream: Add test for hostbased auth. It requires some external
setup (see comments at the top) and thus is disabled unless
TEST_SSH_HOSTBASED_AUTH and SUDO are set.

OpenBSD-Regress-ID: 3ec8ba3750c5b595fc63e7845d13483065a4827a
2022-01-07 09:50:07 +11:00
Damien Miller
a48533a8da depend 2022-01-07 09:24:26 +11:00
djm@openbsd.org
d9dbb5d9a0 upstream: allow hostbased auth to select RSA keys when only
RSA/SHA2 are configured (this is the default case); ok markus@

OpenBSD-Commit-ID: 411c18c7bde40c60cc6dfb7017968577b4d4a827
2022-01-07 09:21:39 +11:00
djm@openbsd.org
fdb1d58d0d upstream: add a helper function to match a key type to a list of
signature algorithms. RSA keys can make signatures with multiple algorithms,
so some special handling is required. ok markus@

OpenBSD-Commit-ID: 03b41b2bda06fa4cd9c84cef6095033b9e49b6ff
2022-01-07 09:21:38 +11:00
djm@openbsd.org
11e8c4309a upstream: log some details on hostkeys that ssh loads for
hostbased authn ok markus@

OpenBSD-Commit-ID: da17061fa1f0e58cb31b88478a40643e18233e38
2022-01-07 09:21:38 +11:00
djm@openbsd.org
c6706f6617 upstream: log signature algorithm during verification by monitor;
ok markus

OpenBSD-Commit-ID: 02b92bb42c4d4bf05a051702a56eb915151d9ecc
2022-01-07 09:21:38 +11:00
djm@openbsd.org
8832402bd5 upstream: piece of UpdateHostkeys client strictification: when
updating known_hosts with new keys, ignore NULL keys (forgot to include in
prior commit)

OpenBSD-Commit-ID: 49d2eda6379490e1ceec40c3b670b973f63dea08
2022-01-07 09:21:38 +11:00
djm@openbsd.org
c2d9ced1da upstream: include rejected signature algorithm in error message
and not the (useless) key type; ok markus

OpenBSD-Commit-ID: 4180b5ec7ab347b43f84e00b1972515296dab023
2022-01-07 09:21:38 +11:00
djm@openbsd.org
7aa7b096cf upstream: make ssh-keysign use the requested signature algorithm
and not the default for the keytype. Part of unbreaking hostbased auth for
RSA/SHA2 keys. ok markus@

OpenBSD-Commit-ID: b5639a14462948970da3a8020dc06f9a80ecccdc
2022-01-07 09:21:38 +11:00
djm@openbsd.org
291721bc7c upstream: stricter UpdateHostkey signature verification logic on
the client- side. Require RSA/SHA2 signatures for RSA hostkeys except when
RSA/SHA1 was explicitly negotiated during initial KEX; bz3375

ok markus@

OpenBSD-Commit-ID: 46e75e8dfa2c813781805b842580dcfbd888cf29
2022-01-07 09:21:38 +11:00
djm@openbsd.org
0fa3368322 upstream: Fix signature algorithm selection logic for
UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2
for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2
signatures for RSA keys if the client proposed these algorithms in initial
KEX. bz3375

Mostly by Dmitry Belyavskiy with some tweaks by me.

ok markus@

OpenBSD-Commit-ID: c17ba0c3236340d2c6a248158ebed042ac6a8029
2022-01-07 09:21:38 +11:00
djm@openbsd.org
17877bc81d upstream: convert ssh, sshd mainloops from select() to poll();
feedback & ok deraadt@ and markus@ has been in snaps for a few months

OpenBSD-Commit-ID: a77e16a667d5b194dcdb3b76308b8bba7fa7239c
2022-01-07 09:21:38 +11:00
djm@openbsd.org
5c79952dfe upstream: prepare for conversion of ssh, sshd mainloop from
select() to poll() by moving FD_SET construction out of channel handlers into
separate functions. ok markus

OpenBSD-Commit-ID: 937fbf2a4de12b19fb9d5168424e206124807027
2022-01-07 09:11:58 +11:00
djm@openbsd.org
24c5187edf upstream: add a comment so I don't make this mistake again
OpenBSD-Commit-ID: 69c7f2362f9de913bb29b6318580c5a1b52c921e
2022-01-07 09:10:42 +11:00
djm@openbsd.org
7369900441 upstream: fix cut-and-pasto in error message
OpenBSD-Commit-ID: 4cc5c619e4b456cd2e9bb760d17e3a9c84659198
2022-01-07 09:10:42 +11:00
djm@openbsd.org
294c11b1c7 upstream: select all RSA hostkey algorithms for UpdateHostkeys tests,
not just RSA-SHA1

OpenBSD-Regress-ID: b40e62b65863f2702a0c10aca583b2fe76772bd8
2022-01-05 19:31:37 +11:00
djm@openbsd.org
2ea1108c30 upstream: regress test both sshsig message hash algorithms, possible
now because the algorithm is controllable via the CLI

OpenBSD-Regress-ID: 0196fa87acc3544b2b4fd98de844a571cb09a39f
2022-01-05 16:06:09 +11:00
djm@openbsd.org
2327c306b5 upstream: allow selection of hash at sshsig signing time; code
already supported either sha512 (default) or sha256, but plumbing wasn't
there mostly by Linus Nordberg

OpenBSD-Commit-ID: 1b536404b9da74a84b3a1c8d0b05fd564cdc96cd
2022-01-05 16:06:01 +11:00
djm@openbsd.org
56e941d0a0 upstream: add missing -O option to usage() for ssh-keygen -Y sign;
from Linus Nordberg

OpenBSD-Commit-ID: 4e78feb4aa830727ab76bb2e3d940440ae1d7af0
2022-01-05 16:06:01 +11:00
djm@openbsd.org
141a14ec9b upstream: move sig_process_opts() to before sig_sign(); no
functional code change

OpenBSD-Commit-ID: da02d61f5464f72b4e8b299f83e93c3b657932f9
2022-01-05 16:06:01 +11:00
djm@openbsd.org
37a14249ec upstream: regression test for find-principals NULL deref; from Fabian
Stelzer

OpenBSD-Regress-ID: f845a8632a5a7d5ae26978004c93e796270fd3e5
2022-01-05 15:12:46 +11:00
djm@openbsd.org
eb1f042142 upstream: NULL deref when using find-principals when matching an
allowed_signers line that contains a namespace restriction, but no
restriction specified on the command-line; report and fix from Fabian Stelzer

OpenBSD-Commit-ID: 4a201b86afb668c908d1a559c6af456a61f4b145
2022-01-05 15:12:39 +11:00
dtucker@openbsd.org
8f3b180305 upstream: Log command invocation while debugging.
This will aid in manually reproducing failing commands.

OpenBSD-Regress-ID: b4aba8d5ac5675ceebeeeefa3261ce344e67333a
2022-01-05 11:51:04 +11:00
Darren Tucker
bbf285164d Always save config.h as build artifact.
Should allow better comparison between failing and succeeding test
platforms.
2022-01-05 11:48:58 +11:00
Darren Tucker
03bd4ed0db Add OpenBSD 7.0 target. Retire 6.8. 2022-01-05 11:48:58 +11:00
jsg@openbsd.org
c45a752f0d upstream: spelling
OpenBSD-Commit-ID: c63e43087a64d0727af13409c708938e05147b62
2022-01-04 18:22:46 +11:00
djm@openbsd.org
c672f83a89 upstream: unbreak test: was picking up system ssh-add instead of the
one supposedly being tested. Spotted by dtucker and using his VM zoo (which
includes some systems old enough to lack ed25519 key support)

OpenBSD-Regress-ID: 7976eb3df11cc2ca3af91030a6a8c0cef1590bb5
2022-01-04 18:22:37 +11:00
djm@openbsd.org
a23698c308 upstream: fix memleak in process_extension(); oss-fuzz issue #42719
OpenBSD-Commit-ID: d8d49f840162fb7b8949e3a5adb8107444b6de1e
2022-01-01 15:19:48 +11:00
jsg@openbsd.org
cb885178f3 upstream: spelling ok dtucker@
OpenBSD-Commit-ID: bfc7ba74c22c928de2e257328b3f1274a3dfdf19
2022-01-01 15:19:48 +11:00
djm@openbsd.org
6b977f8080 upstream: split method list search functionality from
authmethod_lookup() into a separate authmethod_byname(), for cases where we
don't need to check whether a method is enabled, etc.

use this to fix the "none" authentication method regression reported
by Nam Nguyen via bugs@

ok deraadt@

OpenBSD-Commit-ID: 8cd188dc3a83aa8abe5b7693e762975cd8ea8a17
2021-12-27 10:40:22 +11:00
jmc@openbsd.org
0074aa2c8d upstream: sort -H and -h in SYNOPSIS/usage(); tweak the -H text;
ok djm

OpenBSD-Commit-ID: 90721643e41e9e09deb5b776aaa0443456ab0965
2021-12-27 10:40:16 +11:00
Darren Tucker
1c9853a68b Use SHA.*_HMAC_BLOCK_SIZE if needed.
If the platform has a native SHA2, does not define SHA.*_BLOCK_LENGTH
but does define SHA.*_HMAC_BLOCK_SIZE (eg Solaris) then use the latter.
Should fix --without-openssl build on Solaris.
2021-12-23 11:36:08 +11:00
Damien Miller
715c892f0a remove sys/param.h in -portable, after upstream 2021-12-22 09:02:50 +11:00
Damien Miller
7a7c69d8b4 add agent-restrict.sh file, missed in last commit 2021-12-20 13:05:20 +11:00
djm@openbsd.org
f539136ca5 upstream: regression test for destination restrictions in ssh-agent
OpenBSD-Regress-ID: 3c799d91e736b1753b4a42d80c42fc40de5ad33d
2021-12-20 12:17:18 +11:00
anton@openbsd.org
6e4980eb8e upstream: Make use of ntests variable, pointed out by clang 13.
OpenBSD-Regress-ID: 4241a3d21bdfa1630ed429b6d4fee51038d1be72
2021-12-20 12:16:49 +11:00
deraadt@openbsd.org
3eead81583 upstream: sys/param.h cleanup, mostly using MINIMUM() and
<limits.h> ok dtucker

OpenBSD-Regress-ID: 172a4c45d3bcf92fa6cdf6c4b9db3f1b3abe4db0
2021-12-20 12:16:49 +11:00
djm@openbsd.org
266678e19e upstream: document host-bound publickey authentication
OpenBSD-Commit-ID: ea6ed91779a81f06d961e30ecc49316b3d71961b
2021-12-20 09:28:08 +11:00
djm@openbsd.org
3d00024b3b upstream: document agent protocol extensions
OpenBSD-Commit-ID: 09e8bb391bbaf24c409b75a4af44e0cac65405a7
2021-12-20 09:28:08 +11:00
djm@openbsd.org
c385abf765 upstream: PubkeyAuthentication=yes|no|unbound|host-bound
Allow control over which pubkey methods are used. Added out of
concern that some hardware devices may have difficulty signing
the longer pubkey authentication challenges. This provides a
way for them to disable the extension. It's also handy for
testing.

feedback / ok markus@

OpenBSD-Commit-ID: ee52580db95c355cf6d563ba89974c210e603b1a
2021-12-20 09:28:08 +11:00
djm@openbsd.org
34b1e9cc76 upstream: document destination-constrained keys
feedback / ok markus@

OpenBSD-Commit-ID: cd8c526c77268f6d91c06adbee66b014d22d672e
2021-12-20 09:28:08 +11:00
djm@openbsd.org
a6d7677c4a upstream: Use hostkey parsed from hostbound userauth request
Require host-bound userauth requests for forwarded SSH connections.

The hostkey parsed from the host-bound userauth request is now checked
against the most recently bound session ID / hostkey on the agent socket
and the signature refused if they do not match.

ok markus@

OpenBSD-Commit-ID: d69877c9a3bd8d1189a5dbdeceefa432044dae02
2021-12-20 09:28:07 +11:00
djm@openbsd.org
baaff0ff43 upstream: agent support for parsing hostkey-bound signatures
Allow parse_userauth_request() to work with blobs from
publickey-hostbound-v00@openssh.com userauth attempts.

Extract hostkey from these blobs.

ok markus@

OpenBSD-Commit-ID: 81c064255634c1109477dc65c3e983581d336df8
2021-12-20 09:28:07 +11:00
djm@openbsd.org
3e16365a79 upstream: EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to
advertise the hostbound public key method.

Client side support to parse this feature flag and set the kex->flags
indicator if the expected version is offered (currently "0").

ok markus@

OpenBSD-Commit-ID: 4cdb2ca5017ec1ed7a9d33bda95c1d6a97b583b0
2021-12-20 09:28:07 +11:00
djm@openbsd.org
94ae0c6f0e upstream: client side of host-bound pubkey authentication
Add kex->flags member to enable the publickey-hostbound-v00@openssh.com
authentication method.

Use the new hostbound method in client if the kex->flags flag was set,
and include the inital KEX hostkey in the userauth request.

Note: nothing in kex.c actually sets the new flag yet

ok markus@

OpenBSD-Commit-ID: 5a6fce8c6c8a77a80ee1526dc467d91036a5910d
2021-12-20 09:28:07 +11:00
djm@openbsd.org
288fd0218d upstream: sshd side of hostbound public key auth
This is identical to the standard "publickey" method, but it also includes
the initial server hostkey in the message signed by the client.

feedback / ok markus@

OpenBSD-Commit-ID: 7ea01bb7238a560c1bfb426fda0c10a8aac07862
2021-12-20 09:28:07 +11:00
djm@openbsd.org
dbb339f015 upstream: prepare for multiple names for authmethods
allow authentication methods to have one additional name beyond their
primary name.

allow lookup by this synonym

Use primary name for authentication decisions, e.g. for
PermitRootLogin=publickey

Pass actual invoked name to the authmethods, so they can tell whether they
were requested via the their primary name or synonym.

ok markus@

OpenBSD-Commit-ID: 9e613fcb44b8168823195602ed3d09ffd7994559
2021-12-20 09:28:07 +11:00