... and ssh and sshd log wrappers before recreating them. Prevents "can't
create" errors during tests when running tests without SUDO after having
run them with SUDO.
OpenBSD-Regress-ID: 2f0a83532e3dccd673a9bf0291090277268c69a6
... to run all of the subprograms from the build directory while
developing and debugging. Should help prevent accidentally testing
against unchanged installed sshd-auth and sshd-session binaries. ok djm@
OpenBSD-Commit-ID: 61760cdc98c2bc8f1e9f83a6f97cca0f66b52e69
Prevents problems on platforms where this isn't safe (which it's not
required to be). ok djm@
OpenBSD-Commit-ID: 8fa4ce3ad90915c925b81b99a79ab920b0523387
arranging the hostkey algorithms. AFAIK this code is unused in OpenSSH, but I
guess others are using it
based on GHPR387 from Pawel Jakub Dawidek
OpenBSD-Commit-ID: 4d462495ac0c40f7b7dd66178e0005b9b2128225
^x' commandline to be exactly two characters long. Avoids one by OOB read if
ssh is invoked as "ssh -e^ ..."
Spotted by Maciej Domanski in GHPR368
OpenBSD-Commit-ID: baa72bc60898fc5639e6c62de7493a202c95823d
visbility-restrict ones that are unused outside the implementation itself;
based on GHPR#282 by tobias@
OpenBSD-Commit-ID: a0140f2418b4d46cfaa7b33febc0a0931f9b2744
Makes builds configured --without-openssl work again since otherwise
the first use of the RNG comes after the sandbox init and it can't
open /dev/random.
This splits the user authentication code from the sshd-session
binary into a separate sshd-auth binary. This will be executed by
sshd-session to complete the user authentication phase of the
protocol only.
Splitting this code into a separate binary ensures that the crucial
pre-authentication attack surface has an entirely disjoint address
space from the code used for the rest of the connection. It also
yields a small runtime memory saving as the authentication code will
be unloaded after thhe authentication phase completes.
Joint work with markus@ feedback deraadt@
Tested in snaps since last week
OpenBSD-Commit-ID: 9c3b2087ae08626ec31b4177b023db600e986d9c
there has been traffic on a X11 forwarding channel recently.
Should fix X11 forwarding performance problems when this setting is
enabled. Patch from Antonio Larrosa via bz3655
OpenBSD-Commit-ID: 820284a92eb4592fcd3d181a62c1b86b08a4a7ab
exchange in sshd by default. Specifically, this removes the
diffie-hellman-group* and diffie-hellman-group-exchange-* methods. The client
is unchanged and continues to support these methods by default.
Finite field Diffie Hellman is slow and computationally expensive for
the same security level as Elliptic Curve DH or PQ key agreement while
offering no redeeming advantages.
ECDH has been specified for the SSH protocol for 15 years and some
form of ECDH has been the default key exchange in OpenSSH for the last
14 years.
ok markus@
OpenBSD-Commit-ID: 4e238ad480a33312667cc10ae0eb6393abaec8da
criteria tokeniser to a more shell-like one. Apparently the old tokeniser
(accidentally?) allowed "Match criteria=argument" as well as the "Match
criteria argument" syntax that we tested for.
People were using this syntax so this adds back support for
"Match criteria=argument"
bz3739 ok dtucker
OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a
relies on using -fwrapv to provide defined over/underflow behaviour, but we
use -ftrapv to catch integer errors and abort the program. ok dtucker@
OpenBSD-Commit-ID: 8933369b33c17b5f02479503d0a92d87bc3a574b
