Commit Graph

521 Commits

Author SHA1 Message Date
djm@openbsd.org
6072e4c938
upstream: Split per-connection sshd-session binary
This splits the user authentication code from the sshd-session
binary into a separate sshd-auth binary. This will be executed by
sshd-session to complete the user authentication phase of the
protocol only.

Splitting this code into a separate binary ensures that the crucial
pre-authentication attack surface has an entirely disjoint address
space from the code used for the rest of the connection. It also
yields a small runtime memory saving as the authentication code will
be unloaded after thhe authentication phase completes.

Joint work with markus@ feedback deraadt@

Tested in snaps since last week

OpenBSD-Commit-ID: 9c3b2087ae08626ec31b4177b023db600e986d9c
2024-10-14 14:01:37 +11:00
Damien Miller
425f79a837
typo in comment 2024-06-13 14:41:33 +10:00
Damien Miller
afe10313c1
fix PTY allocation on Cygwin, broken by sshd split
Cygwin doesn't support FD passing and so used to disable post-auth
privilege separation entirely because privsep requires PTY allocation
to happen in the privileged monitor process with the PTY file
descriptors being passed back to the unprivileged process.

This brings back a minimal version of the previous special treatment
for Cygwin (and any other platform that sets DISABLE_FD_PASSING):
privilege separation remains enabled, but PTY allocation happens in
the post-auth user process rather than the monitor.

This either requires PTY allocation to not need privilege to begin
with (this appears to be the case on Cygwin), or the post-auth
privsep process retain privilege (other platforms that set the
DISABLE_FD_PASSING option).

Keeping privileges here is bad, but the non-Cygwin systems that set
DISABLE_FD_PASSING are so deeply legacy that this is likely to be the
least of their problems.
2024-06-13 14:35:25 +10:00
Damien Miller
cc80d51d03
remove PRIVSEP macros for osx 2024-06-05 02:21:52 +10:00
djm@openbsd.org
03e3de416e
upstream: Start the process of splitting sshd into separate
binaries. This step splits sshd into a listener and a session binary. More
splits are planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

OpenBSD-Commit-ID: 43c04a1ab96cdbdeb53d2df0125a6d42c5f19934
2024-05-17 14:41:35 +10:00
djm@openbsd.org
c283f29d23
upstream: whitespace
OpenBSD-Commit-ID: bf9e4a1049562ee4322684fbdce07142f04fdbb7
2024-02-01 13:42:45 +11:00
djm@openbsd.org
f9f1800667
upstream: better debug logging of sessions' exit status
OpenBSD-Commit-ID: 82237567fcd4098797cbdd17efa6ade08e1a36b0
2023-08-11 09:12:59 +10:00
dtucker@openbsd.org
4710077096
upstream: Fix mem leak in environment setup.
From jjelen at redhat.com via bz#2687, ok djm@

OpenBSD-Commit-ID: 9f9e4ba3cac003e6f81da3bcebd1b9ec43e7f353
2023-03-07 17:32:03 +11:00
dtucker@openbsd.org
fc7f8f2188
upstream: Remove unused compat.h includes.
We've previously removed a lot of the really old compatibility code,
and with it went the need to include compat.h in most of the files that
have it.

OpenBSD-Commit-ID: 5af8baa194be00a3092d17598e88a5b29f7ea2b4
2023-03-05 19:27:31 +11:00
djm@openbsd.org
0e34348d0b
upstream: Add channel_set_xtype()
This sets an "extended" channel type after channel creation (e.g.
"session:subsystem:sftp") that will be used for setting channel inactivity
timeouts.

ok markus dtucker

OpenBSD-Commit-ID: 42564aa92345045b4a74300528f960416a15d4ca
2023-01-06 16:21:40 +11:00
djm@openbsd.org
ceedf09b29
upstream: tweak channel ctype names
These are now used by sshd_config:ChannelTimeouts to specify timeouts by
channel type, so force them all to use a similar format without whitespace.

ok dtucker markus

OpenBSD-Commit-ID: 66834765bb4ae14f96d2bb981ac98a7dae361b65
2023-01-06 16:21:40 +11:00
djm@openbsd.org
c60438158a
upstream: Add channel_force_close()
This will forcibly close an open channel by simulating read/write errors,
draining the IO buffers and calling the detach function.

Previously the detach function was only ever called during channel garbage
collection, but there was no way to signal the user of a channel (e.g.
session.c) that its channel was being closed deliberately (vs. by the
usual state-machine logic). So this adds an extra "force" argument to the
channel cleanup callback to indicate this condition.

ok markus dtucker

OpenBSD-Commit-ID: 23052707a42bdc62fda2508636e624afd466324b
2023-01-06 16:21:39 +11:00
dtucker@openbsd.org
45279abceb upstream: Switch hpdelim interface to accept only ":" as delimiter.
Historicallly, hpdelim accepted ":" or "/" as a port delimiter between
hosts (or addresses) and ports.  These days most of the uses for "/"
are no longer accepted, so there are several places where it checks the
delimiter to disallow it.  Make hpdelim accept only ":" and use hpdelim2
in the other cases.  ok djm@

OpenBSD-Commit-ID: 7e6420bd1be87590b6840973f5ad5305804e3102
2022-02-10 15:14:17 +11:00
Damien Miller
715c892f0a remove sys/param.h in -portable, after upstream 2021-12-22 09:02:50 +11:00
djm@openbsd.org
b5aa27b69a upstream: remove a bunch of %p in format strings; leftovers of
debuggings past. prompted by Michael Forney, ok dtucker@

OpenBSD-Commit-ID: 4853a0d6c9cecaba9ecfcc19066e52d3a8dcb2ac
2021-08-11 18:37:30 +10:00
djm@openbsd.org
31d8d231eb upstream: highly polished whitespace, mostly fixing spaces-for-tab
and bad indentation on continuation lines. Prompted by GHPR#185

OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
2021-04-03 17:23:02 +11:00
Damien Miller
f060c2bc85 don't free string returned by login_getcapstr(3)
OpenBSD and NetBSD require the caller to free strings returned
bu the login_* functions, but FreeBSD requires that callers don't.

Fortunately in this case, we can harmlessly leak as the process is
about to exec the shell/command.

From https://reviews.freebsd.org/D28617 via Ed Maste; ok dtucker@
2021-02-18 10:36:54 +11:00
djm@openbsd.org
bef92346c4 upstream: use _PATH_SSH_USER_DIR instead of hardcoded .ssh in path
OpenBSD-Commit-ID: 5c1048468813107baa872f5ee33ba51623630e01
2020-12-14 15:38:50 +11:00
djm@openbsd.org
022def7bd1 upstream: check result of strchr() against NULL rather than
searched-for characters; from zhongjubin@huawei.com

OpenBSD-Commit-ID: e6f57de1d4a4d25f8db2d44e8d58d847e247a4fe
2020-11-28 23:59:42 +11:00
Duncan Eastoe
a575cf44e5 session.c: use "denylist" terminology
Follow upstream (6d755706a0) language
improvements in this portable-specific code.
2020-10-29 13:45:10 +11:00
djm@openbsd.org
816036f142 upstream: use the new variant log macros instead of prepending
__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
2020-10-18 23:46:29 +11:00
Darren Tucker
d7e71be4fd Adjust portable code to match changes in 939d787d, 2020-07-15 15:30:43 +10:00
deraadt@openbsd.org
6368022cd4 upstream: correct recently broken comments
OpenBSD-Commit-ID: 964d9a88f7de1d0eedd3f8070b43fb6e426351f1
2020-07-15 15:08:10 +10:00
djm@openbsd.org
6d755706a0 upstream: some language improvements; ok markus
OpenBSD-Commit-ID: 939d787d571b4d5da50b3b721fd0b2ac236acaa8
2020-07-15 15:07:42 +10:00
djm@openbsd.org
20b5fab9f7 upstream: avoid tilde_expand_filename() in expanding ~/.ssh/rc - if
sshd is in chroot mode, the likely absence of a password database will cause
tilde_expand_filename() to fatal; ok dtucker@

OpenBSD-Commit-ID: e20aee6159e8b79190d18dba1513fc1b7c8b7ee1
2020-07-03 17:03:54 +10:00
djm@openbsd.org
c8935081db upstream: when redirecting sshd's log output to a file, undo this
redirection after the session child process is forked(); ok dtucker@

OpenBSD-Commit-ID: 6df86dd653c91f5bc8ac1916e7680d9d24690865
2020-07-03 17:03:54 +10:00
dtucker@openbsd.org
c9e24daac6 upstream: Expand path to ~/.ssh/rc rather than relying on it
being relative to the current directory, so that it'll still be found if the
shell startup changes its directory.  Since the path is potentially longer,
make the cmd buffer that uses it dynamically sized.  bz#3185, with & ok djm@

OpenBSD-Commit-ID: 36e33ff01497af3dc8226d0c4c1526fc3a1e46bf
2020-06-26 15:18:45 +10:00
djm@openbsd.org
d081f017c2 upstream: spelling errors in comments; no code change from
OpenBSD-Commit-ID: 166ea64f6d84f7bac5636dbd38968592cb5eb924
2020-03-14 19:39:09 +11:00
dtucker@openbsd.org
3bf2a6ac79 upstream: Replace all calls to signal(2) with a wrapper around
sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which should reduce
the potential for short read/write operations.

OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
2020-01-23 18:51:25 +11:00
Damien Miller
a8bd5fdbdb Wrap copy_environment_blacklist() in #ifdef
It's only needed for USE_PAM or HAVE_CYGWIN cases and will cause compiler
warnings otherwise.
2020-01-21 12:32:16 +11:00
Ruben Kerkhof
b3f7009c9f Fix missing prototype warning for copy_environment
This function is only used in this file, and only on Cygwin, so make
it static and hide it behind HAVE_CYGWIN.  Prevents missing prototype
warning.
2020-01-21 10:47:29 +11:00
deraadt@openbsd.org
72687c8e7c upstream: stdarg.h required more broadly; ok djm
OpenBSD-Commit-ID: b5b15674cde1b54d6dbbae8faf30d47e6e5d6513
2019-11-15 08:50:10 +11:00
deraadt@openbsd.org
4d28fa78ab upstream: When system calls indicate an error they return -1, not
some arbitrary value < 0.  errno is only updated in this case.  Change all
(most?) callers of syscalls to follow this better, and let's see if this
strictness helps us in the future.

OpenBSD-Commit-ID: 48081f00db7518e3b712a49dca06efc2a5428075
2019-07-05 11:10:39 +10:00
Damien Miller
885bc11469 session: Do not use removed API
from Jakub Jelen
2019-04-04 02:47:40 +11:00
djm@openbsd.org
625b62634c upstream: perform removal of agent-forwarding directory in forward
setup error path with user's privileged. This is a no-op as this code always
runs with user privilege now that we no longer support running sshd with
privilege separation disabled, but as long as the privsep skeleton is there
we should follow the rules.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

bz#2969 with patch from Erik Sjölund

OpenBSD-Commit-ID: 2b708401a5a8d6133c865d7698d9852210dca846
2019-02-22 14:38:38 +11:00
djm@openbsd.org
318e4f8548 upstream: syslog when connection is dropped for attempting to run a
command when ForceCommand=internal-sftp is in effect; bz2960; ok dtucker@

OpenBSD-Commit-ID: 8c87fa66d7fc6c0fffa3a3c28e8ab5e8dde234b8
2019-02-10 22:24:24 +11:00
Damien Miller
2ff2e19653 don't set $MAIL if UsePam=yes
PAM typically specifies the user environment if it's enabled, so don't
second guess. bz#2937; ok dtucker@
2019-02-08 14:53:35 +11:00
dtucker@openbsd.org
8c53d409ba upstream: Adapt code in the non-USE_PIPES codepath to the new packet
API. This code is not normally reachable since USE_PIPES is always defined.
bz#2961, patch from adrian.fita at gmail com.

OpenBSD-Commit-ID: 8d8428d678d1d5eb4bb21921df34e8173e6d238a
2019-02-08 13:10:57 +11:00
Damien Miller
9b655dc9c9 last bits of old packet API / active_state global 2019-01-20 14:55:27 +11:00
djm@openbsd.org
a5e2ad88ac upstream: convert session.c to new packet API
with & ok markus@

OpenBSD-Commit-ID: fae817207e23099ddd248960c984f7b7f26ea68e
2019-01-20 09:45:18 +11:00
djm@openbsd.org
3a00a92159 upstream: convert auth.c to new packet API
with & ok markus@

OpenBSD-Commit-ID: 7e10359f614ff522b52a3f05eec576257794e8e4
2019-01-20 09:45:17 +11:00
djm@openbsd.org
0fa174ebe1 upstream: begin landing remaining refactoring of packet parsing
API, started almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

OpenBSD-Commit-ID: 93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4
2019-01-20 09:02:10 +11:00
djm@openbsd.org
f47d72ddad upstream: tun_fwd_ifnames variable should b
=?UTF-8?q?e=20extern;=20from=20Hanno=20B=C3=B6ck?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenBSD-Commit-ID: d53dede6e521161bf04d39d09947db6253a38271
2019-01-17 15:47:24 +11:00
Damien Miller
8a22ffaa13 expose $SSH_CONNECTION in the PAM environment
This makes the connection 4-tuple available to PAM modules that
wish to use it in decision-making. bz#2741
2018-12-14 13:23:48 +11:00
djm@openbsd.org
2a35862e66 upstream: use path_absolute() for pathname checks; from Manoj Ampalam
OpenBSD-Commit-ID: 482ce71a5ea5c5f3bc4d00fd719481a6a584d925
2018-11-16 14:37:33 +11:00
djm@openbsd.org
f1dd179e12 upstream: include a little more information about the status and
disposition of channel's extended (stderr) fd; makes debugging some things a
bit easier. No behaviour change.

OpenBSD-Commit-ID: 483eb6467dc7d5dbca8eb109c453e7a43075f7ce
2018-10-04 10:44:49 +10:00
Damien Miller
ff3a411cae only support SIGINFO on systems with SIGINFO 2018-10-02 22:49:40 +10:00
djm@openbsd.org
cd98925c64 upstream: Add server support for signalling sessions via the SSH
channel/ session protocol. Signalling is only supported to sesssions that are
not subsystems and were not started with a forced command.

Long requested in bz#1424

Based on a patch from markus@ and reworked by dtucker@;
ok markus@ dtucker@

OpenBSD-Commit-ID: 4bea826f575862eaac569c4bedd1056a268be1c3
2018-10-02 22:41:01 +10:00
deraadt@openbsd.org
21fd477a85 upstream: fix indent; Clemens Goessnitzer
OpenBSD-Commit-ID: b5149a6d92b264d35f879d24608087b254857a83
2018-07-26 13:54:30 +10:00
markus@openbsd.org
5467fbcb09 upstream: remove legacy key emulation layer; ok djm@
OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d
2018-07-12 13:18:25 +10:00