mirror of git://anongit.mindrot.org/openssh.git synced 2025-02-09 18:36:56 +00:00

Portable OpenSSH

Go to file

djm@openbsd.org 0bdca1f218 upstream: openssh-9.9 OpenBSD-Commit-ID: 303417285f1a73b9cb7a2ae78d3f493bbbe31f98		2024-09-20 08:18:23 +10:00
.github	Spell omnios test host correctly.	2024-09-10 21:11:14 +10:00
contrib	Fix without_openssl always being set to 1	2024-09-13 14:09:19 +10:00
m4
openbsd-compat	conditionally include mman.h in arc4random code	2024-09-18 09:01:23 +10:00
regress	fix bug in recently-added sntrup761 fuzzer	2024-09-17 11:53:24 +10:00
.depend	conditionally include mman.h in arc4random code	2024-09-18 09:01:23 +10:00
.git_allowed_signers
.git_allowed_signers.asc
.gitignore	prepare for checking in autogenerated files	2024-06-13 15:02:26 +10:00
.skipped-commit-ids	upstream: enable -fret-clean on amd64, for libc libcrypto ld.so	2024-06-07 03:18:44 +10:00
addr.c
addr.h
addrmatch.c
atomicio.c
atomicio.h
audit-bsm.c
audit-linux.c
audit.c
audit.h
auth2-chall.c
auth2-gss.c	upstream: g/c unused variable	2024-05-17 14:42:49 +10:00
auth2-hostbased.c
auth2-kbdint.c
auth2-methods.c	upstream: typos	2024-05-31 19:04:11 +10:00
auth2-none.c
auth2-passwd.c
auth2-pubkey.c
auth2-pubkeyfile.c
auth2.c
auth-bsdauth.c
auth-krb5.c
auth-options.c
auth-options.h
auth-pam.c	propagate PAM crashes to PerSourcePenalties	2024-06-17 17:02:18 +10:00
auth-pam.h
auth-passwd.c
auth-rhosts.c
auth-shadow.c
auth-sia.c
auth-sia.h
auth.c	upstream: add a "Match invalid-user" predicate to sshd_config Match	2024-09-15 11:23:11 +10:00
auth.h	upstream: remove prototypes with no matching function; ok djm@	2024-05-22 14:21:13 +10:00
authfd.c
authfd.h
authfile.c
authfile.h
bitmap.c
bitmap.h
buildpkg.sh.in
canohost.c
canohost.h
chacha.c
chacha.h
channels.c	upstream: Fix proxy multiplexing (-O proxy) bug	2024-07-26 08:51:40 +10:00
channels.h	upstream: Fix proxy multiplexing (-O proxy) bug	2024-07-26 08:51:40 +10:00
cipher-aes.c
cipher-aesctr.c
cipher-aesctr.h
cipher-chachapoly-libcrypto.c
cipher-chachapoly.c
cipher-chachapoly.h
cipher.c	upstream: As defined in the RFC, the SSH protocol has negotiable	2024-08-27 09:05:43 +10:00
cipher.h
cleanup.c
clientloop.c	upstream: when sending ObscureKeystrokeTiming chaff packets, we	2024-07-01 14:32:45 +10:00
clientloop.h	upstream: remove prototypes with no matching function; ok djm@	2024-05-22 14:21:13 +10:00
compat.c
compat.h
config.guess
config.sub
configure.ac	declare defeat trying to detect C89 compilers	2024-09-09 17:30:38 +10:00
CREDITS
crypto_api.h	upstream: Add experimental support for hybrid post-quantum key exchange	2024-09-02 22:32:44 +10:00
defines.h	declare defeat trying to detect C89 compilers	2024-09-09 17:30:38 +10:00
dh.c
dh.h
digest-libc.c
digest-openssl.c
digest.h
dispatch.c
dispatch.h
dns.c
dns.h
ed25519.c
ed25519.sh	upstream: spelling; ok djm@	2024-05-17 14:42:49 +10:00
entropy.c
entropy.h
fatal.c
fixalgorithms
fixpaths
groupaccess.c
groupaccess.h
gss-genr.c
gss-serv-krb5.c
gss-serv.c
hash.c
hmac.c
hmac.h
hostfile.c
hostfile.h
includes.h
INSTALL
install-sh
kex-names.c	test for compiler feature needed for ML-KEM	2024-09-09 16:06:21 +10:00
kex.c	upstream: As defined in the RFC, the SSH protocol has negotiable	2024-08-27 09:05:43 +10:00
kex.h	upstream: Add experimental support for hybrid post-quantum key exchange	2024-09-02 22:32:44 +10:00
kexc25519.c	upstream: Add experimental support for hybrid post-quantum key exchange	2024-09-02 22:32:44 +10:00
kexdh.c
kexecdh.c
kexgen.c	upstream: pull post-quantum ML-KEM/x25519 key exchange out from	2024-09-09 12:45:53 +10:00
kexgex.c
kexgexc.c
kexgexs.c
kexmlkem768x25519.c	Wrap stdint.h in ifdef.	2024-09-10 18:45:55 +10:00
kexsntrup761x25519.c	upstream: update the Streamlined NTRU Prime code from the "ref"	2024-09-15 12:24:48 +10:00
krl.c
krl.h
libcrux_mlkem768_sha3.h	upstream: Add experimental support for hybrid post-quantum key exchange	2024-09-02 22:32:44 +10:00
LICENCE	include openbsd-compat/base64.c license in LICENSE	2024-09-18 16:03:23 +10:00
log.c	upstream: retire unused API	2024-06-28 08:37:11 +10:00
log.h	upstream: retire unused API	2024-06-28 08:37:11 +10:00
loginrec.c	use construct_utmp to construct btmp records	2024-09-15 12:53:59 +10:00
loginrec.h
logintest.c
mac.c
mac.h
Makefile.in	upstream: Add experimental support for hybrid post-quantum key exchange	2024-09-02 22:32:44 +10:00
match.c	upstream: make parsing user@host consistently look for the last '@' in	2024-09-06 12:31:19 +10:00
match.h
mdoc2man.awk
misc.c	upstream: Add a facility to sshd(8) to penalise particular	2024-06-07 03:35:40 +10:00
misc.h	upstream: Add a facility to sshd(8) to penalise particular	2024-06-07 03:35:40 +10:00
mkinstalldirs
mlkem768.sh	upstream: fix RCSID in output	2024-09-04 15:38:50 +10:00
moduli	upstream: Import regenerated moduli.	2024-08-21 20:24:24 +10:00
moduli.5
moduli.c
monitor_fdpass.c
monitor_fdpass.h
monitor_wrap.c	upstream: put back reaping of preauth child process when writes	2024-06-20 10:19:10 +10:00
monitor_wrap.h	upstream: remove prototypes with no matching function; ok djm@	2024-05-22 14:21:13 +10:00
monitor.c	upstream: Add a sshd_config "RefuseConnection" option	2024-09-15 11:23:10 +10:00
monitor.h
msg.c
msg.h
mux.c	upstream: Fix proxy multiplexing (-O proxy) bug	2024-07-26 08:51:40 +10:00
myproposal.h	upstream: pull post-quantum ML-KEM/x25519 key exchange out from	2024-09-09 12:45:53 +10:00
nchan2.ms
nchan.c	upstream: Fix proxy multiplexing (-O proxy) bug	2024-07-26 08:51:40 +10:00
nchan.ms
openssh.xml.in
opensshd.init.in
OVERVIEW
packet.c	upstream: As defined in the RFC, the SSH protocol has negotiable	2024-08-27 09:05:43 +10:00
packet.h	upstream: Convert RSA and ECDSA key to the libcrypto EVP_PKEY API.	2024-08-15 12:07:59 +10:00
pathnames.h
pkcs11.h
platform-listen.c	Makefile support for sshd-session	2024-05-17 14:41:37 +10:00
platform-misc.c
platform-pledge.c
platform-tracing.c
platform.c	Makefile support for sshd-session	2024-05-17 14:41:37 +10:00
platform.h
poly1305.c
poly1305.h
progressmeter.c
progressmeter.h
PROTOCOL
PROTOCOL.agent
PROTOCOL.certkeys
PROTOCOL.chacha20poly1305
PROTOCOL.key
PROTOCOL.krl
PROTOCOL.mux
PROTOCOL.sshsig
PROTOCOL.u2f
readconf.c	upstream: switch "Match" directive processing over to the argv	2024-09-15 11:23:09 +10:00
readconf.h
README	version numbers	2024-07-01 14:33:26 +10:00
README.dns
README.md
README.platform
README.privsep
README.tun
readpass.c
rijndael.c
rijndael.h
sandbox-capsicum.c
sandbox-darwin.c
sandbox-null.c
sandbox-pledge.c
sandbox-rlimit.c
sandbox-seccomp-filter.c
sandbox-solaris.c
sandbox-systrace.c
scp.1
scp.c	upstream: save_errno wrappers inside two small signal handlers that	2024-06-28 08:34:49 +10:00
SECURITY.md
servconf.c	upstream: bad whitespace in config dump output	2024-09-15 13:10:29 +10:00
servconf.h	upstream: add a "Match invalid-user" predicate to sshd_config Match	2024-09-15 11:23:11 +10:00
serverloop.c	upstream: promote connection-closed messages from verbose to info	2024-06-17 18:31:39 +10:00
serverloop.h
session.c	typo in comment	2024-06-13 14:41:33 +10:00
session.h
sftp-client.c	upstream: spelling; ok djm@	2024-05-17 14:42:49 +10:00
sftp-client.h
sftp-common.c
sftp-common.h
sftp-glob.c
sftp-realpath.c
sftp-server-main.c
sftp-server.8
sftp-server.c
sftp-usergroup.c
sftp-usergroup.h
sftp.1
sftp.c	upstream: save_errno wrappers inside two small signal handlers that	2024-06-28 08:34:49 +10:00
sftp.h
sk-api.h
sk-usbhid.c
smult_curve25519_ref.c
sntrup761.c	upstream: use 64 bit math to avoid signed underflow. upstream code	2024-09-16 15:37:51 +10:00
sntrup761.sh	upstream: use 64 bit math to avoid signed underflow. upstream code	2024-09-16 15:37:51 +10:00
srclimit.c	upstream: Add a "refuseconnection" penalty class to sshd_config	2024-09-15 11:23:10 +10:00
srclimit.h	upstream: Add a "refuseconnection" penalty class to sshd_config	2024-09-15 11:23:10 +10:00
ssh2.h
ssh_api.c	upstream: pull post-quantum ML-KEM/x25519 key exchange out from	2024-09-09 12:45:53 +10:00
ssh_api.h
ssh_config
ssh_config.5	upstream: document the mlkem768x25519-sha256 key exchange algorithm	2024-09-11 09:38:22 +10:00
ssh-add.1	upstream: disable the DSA signature algorithm by default; ok	2024-06-17 18:48:29 +10:00
ssh-add.c	upstream: make parsing user@host consistently look for the last '@' in	2024-09-06 12:31:19 +10:00
ssh-agent.1
ssh-agent.c
ssh-dss.c
ssh-ecdsa-sk.c	upstream: Convert RSA and ECDSA key to the libcrypto EVP_PKEY API.	2024-08-15 12:07:59 +10:00
ssh-ecdsa.c	upstream: Convert RSA and ECDSA key to the libcrypto EVP_PKEY API.	2024-08-15 12:07:59 +10:00
ssh-ed25519-sk.c
ssh-ed25519.c
ssh-gss.h	upstream: remove prototypes with no matching function; ok djm@	2024-05-22 14:21:13 +10:00
ssh-keygen.1	upstream: mention that ed25519 is the default key type generated and	2024-08-17 18:35:31 +10:00
ssh-keygen.c	upstream: include pathname in some of the ssh-keygen passphrase	2024-09-15 11:23:08 +10:00
ssh-keyscan.1	upstream: disable the DSA signature algorithm by default; ok	2024-06-17 18:48:29 +10:00
ssh-keyscan.c	upstream: pull post-quantum ML-KEM/x25519 key exchange out from	2024-09-09 12:45:53 +10:00
ssh-keysign.8	upstream: disable the DSA signature algorithm by default; ok	2024-06-17 18:48:29 +10:00
ssh-keysign.c
ssh-pkcs11-client.c	upstream: Convert RSA and ECDSA key to the libcrypto EVP_PKEY API.	2024-08-15 12:07:59 +10:00
ssh-pkcs11-helper.8
ssh-pkcs11-helper.c	more OPENSSL_HAS_ECC	2024-08-16 08:30:20 +10:00
ssh-pkcs11.c	upstream: Convert RSA and ECDSA key to the libcrypto EVP_PKEY API.	2024-08-15 12:07:59 +10:00
ssh-pkcs11.h
ssh-rsa.c	upstream: Convert RSA and ECDSA key to the libcrypto EVP_PKEY API.	2024-08-15 12:07:59 +10:00
ssh-sandbox.h
ssh-sk-client.c
ssh-sk-helper.8
ssh-sk-helper.c
ssh-sk.c	upstream: Convert RSA and ECDSA key to the libcrypto EVP_PKEY API.	2024-08-15 12:07:59 +10:00
ssh-sk.h
ssh-xmss.c
ssh.1	upstream: mention mux proxy mode	2024-07-26 08:51:19 +10:00
ssh.c
ssh.h
sshbuf-getput-basic.c
sshbuf-getput-crypto.c	fix merge botch that broke !OPENSSL_HAS_ECC	2024-08-15 23:35:54 +10:00
sshbuf-io.c
sshbuf-misc.c
sshbuf.c	upstream: Reorder calloc arguments	2024-08-15 11:01:50 +10:00
sshbuf.h	upstream: Convert RSA and ECDSA key to the libcrypto EVP_PKEY API.	2024-08-15 12:07:59 +10:00
sshconnect2.c	upstream: pull post-quantum ML-KEM/x25519 key exchange out from	2024-09-09 12:45:53 +10:00
sshconnect.c
sshconnect.h
sshd_config
sshd_config.5	upstream: minor grammar/sort fixes for refuseconnection; ok djm	2024-09-16 15:37:44 +10:00
sshd-session.c	upstream: pull post-quantum ML-KEM/x25519 key exchange out from	2024-09-09 12:45:53 +10:00
sshd.8	upstream: document Match invalid-user	2024-09-15 11:23:11 +10:00
sshd.c	upstream: Add a "refuseconnection" penalty class to sshd_config	2024-09-15 11:23:10 +10:00
ssherr.c
ssherr.h
sshkey-xmss.c
sshkey-xmss.h
sshkey.c	upstream: be more strict in parsing key type names. Only allow	2024-09-04 15:38:50 +10:00
sshkey.h	upstream: be more strict in parsing key type names. Only allow	2024-09-04 15:38:50 +10:00
sshlogin.c
sshlogin.h
sshpty.c
sshpty.h
sshsig.c
sshsig.h
sshtty.c
survey.sh.in
TODO
ttymodes.c
ttymodes.h
uidswap.c
uidswap.h
umac128.c
umac.c
umac.h
utf8.c
utf8.h
version.h	upstream: openssh-9.9	2024-09-20 08:18:23 +10:00
xmalloc.c
xmalloc.h
xmss_commons.c
xmss_commons.h
xmss_fast.c
xmss_fast.h
xmss_hash_address.c
xmss_hash_address.h
xmss_hash.c
xmss_hash.h
xmss_wots.c
xmss_wots.h

README.md

Portable OpenSSH

OpenSSH is a complete implementation of the SSH protocol (version 2) for secure remote login, command execution and file transfer. It includes a client ssh and server sshd, file transfer utilities scp and sftp as well as tools for key generation (ssh-keygen), run-time key storage (ssh-agent) and a number of supporting programs.

This is a port of OpenBSD's OpenSSH to most Unix-like operating systems, including Linux, OS X and Cygwin. Portable OpenSSH polyfills OpenBSD APIs that are not available elsewhere, adds sshd sandboxing for more operating systems and includes support for OS-native authentication and auditing (e.g. using PAM).

Documentation

The official documentation for OpenSSH are the man pages for each tool:

Stable Releases

Stable release tarballs are available from a number of download mirrors. We recommend the use of a stable release for most users. Please read the release notes for details of recent changes and potential incompatibilities.

Building Portable OpenSSH

Dependencies

Portable OpenSSH is built using autoconf and make. It requires a working C compiler, standard library and headers.

libcrypto from either LibreSSL or OpenSSL may also be used. OpenSSH may be built without either of these, but the resulting binaries will have only a subset of the cryptographic algorithms normally available.

zlib is optional; without it transport compression is not supported.

FIDO security token support needs libfido2 and its dependencies and will be enabled automatically if they are found.

In addition, certain platforms and build-time options may require additional dependencies; see README.platform for details about your platform.

Building a release

Releases include a pre-built copy of the configure script and may be built using:

tar zxvf openssh-X.YpZ.tar.gz
cd openssh
./configure # [options]
make && make tests

See the Build-time Customisation section below for configure options. If you plan on installing OpenSSH to your system, then you will usually want to specify destination paths.

Building from git

If building from git, you'll need autoconf installed to build the configure script. The following commands will check out and build portable OpenSSH from git:

git clone https://github.com/openssh/openssh-portable # or https://anongit.mindrot.org/openssh.git
cd openssh-portable
autoreconf
./configure
make && make tests

Build-time Customisation

There are many build-time customisation options available. All Autoconf destination path flags (e.g. --prefix) are supported (and are usually required if you want to install OpenSSH).

For a full list of available flags, run ./configure --help but a few of the more frequently-used ones are described below. Some of these flags will require additional libraries and/or headers be installed.

Flag	Meaning
`--with-pam`	Enable PAM support. OpenPAM, Linux PAM and Solaris PAM are supported.
`--with-libedit`	Enable libedit support for sftp.
`--with-kerberos5`	Enable Kerberos/GSSAPI support. Both Heimdal and MIT Kerberos implementations are supported.
`--with-selinux`	Enable SELinux support.

Development

Portable OpenSSH development is discussed on the openssh-unix-dev mailing list (archive mirror). Bugs and feature requests are tracked on our Bugzilla.

Reporting bugs

Non-security bugs may be reported to the developers via Bugzilla or via the mailing list above. Security bugs should be reported to openssh@openssh.com.