implementation in SUPERCOP 20201130 to the "compact" implementation in
SUPERCOP 20240808. The new version is substantially faster. Thanks to Daniel
J Bernstein for pointing out the new implementation (and of course for
writing it).
tested in snaps/ok deraadt@
OpenBSD-Commit-ID: bf1a77924c125ecdbf03e2f3df8ad13bd3dafdcb
options.
This allows writing Match conditions that trigger for invalid username.
E.g.
PerSourcePenalties refuseconnection:90s
Match invalid-user
RefuseConnection yes
Will effectively penalise bots try to guess passwords for bogus accounts,
at the cost of implicitly revealing which accounts are invalid.
feedback markus@
OpenBSD-Commit-ID: 93d3a46ca04bbd9d84a94d1e1d9d3a21073fbb07
PerSourcePenalties
This allows penalising connection sources that have had connections
dropped by the RefuseConnection option. ok markus@
OpenBSD-Commit-ID: 3c8443c427470bb3eac1880aa075cb4864463cb6
If set, this will terminate the connection at the first authentication
request (this is the earliest we can evaluate sshd_config Match blocks)
ok markus@
OpenBSD-Commit-ID: 43cc2533984074c44d0d2f92eb93f661e7a0b09c
string tokeniser, making it possible to use shell-like quoting in Match
directives, particularly "Match exec". ok markus@
OpenBSD-Commit-ID: 0877309650b76f624b2194c35dbacaf065e769a5
prompts. Helps the user know what's going on when ssh-keygen is invoked via
other tools. Requested in GHPR503
OpenBSD-Commit-ID: 613b0bb6cf845b7e787d69a5b314057ceda6a8b6
verification fails. Prevents restrictive key options being incorrectly
applied to subsequent keys in authorized_keys. bz3733, ok markus@
OpenBSD-Commit-ID: ba3776d9da4642443c19dbc015a1333622eb5a4e
OpenSSH 9.8, which incorrectly required that sshd was started with an
absolute path in inetd mode. bz3717, patch from Colin Wilson
OpenBSD-Commit-ID: 25c57f22764897242d942853f8cccc5e991ea058
I can't find a reliable way to detect the features the ML-KEM code
requires in configure. Give up for now and use VLA support (that we
can detect) as a proxy for "old compiler" and turn off ML-KEM if
it isn't supported.
The ML-KEM implementation we uses need the compiler to support
C99-style named struct initialisers (e.g foo = {.bar = 1}). We
still support (barely) building OpenSSH with older compilers, so
add a configure test for this.
compile-time flag now than an IANA codepoint has been assigned for the
algorithm.
Add mlkem768x25519-sha256 in 2nd KexAlgorithms preference slot.
ok markus@
OpenBSD-Commit-ID: 9f50a0fae7d7ae8b27fcca11f8dc6f979207451a
the string rather than the first. This makes it possible to use usernames
that contain '@' characters.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Prompted by Max Zettlmeißl; feedback/ok millert@
OpenBSD-Commit-ID: 0b16eec246cda15469ebdcf3b1e2479810e394c5
shortnames (e.g "rsa") in user-interface code and require full SSH protocol
names (e.g. "ssh-rsa") everywhere else.
Prompted by bz3725; ok markus@
OpenBSD-Commit-ID: b3d8de9dac37992eab78adbf84fab2fe0d84b187
ML-KEM768 with ECDH/X25519 from the Internet-draft:
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
This is based on previous patches from markus@ but adapted to use the
final FIPS203 standard ML-KEM using a formally-verified implementation
from libcrux.
Note this key exchange method is still a draft and thus subject to
change. It is therefore disabled by default; set MLKEM=yes to build it.
We're making it available now to make it easy for other SSH
implementations to test against it.
ok markus@ deraadt@
OpenBSD-Commit-ID: 02a8730a570b63fa8acd9913ec66353735dea42c
This fixes an issue where the SSH_CONNECTION_ABANDON event is not
audited because cleanup_exit overrides the regular _exit too soon and
as a result, failed auth attempts are not logged correctly.
The problem was introduced in 81c1099d22
where the code from upstream was merged before the audit_event call when
it should have been merged right before the _exit call in order to honor
the comment that just mentions an override of the exit value.
compression support (which is requested as the name "zlib"). Compression
starts very early in the session. Relative early in OpenSSH lifetime, privsep
was added to sshd, and this required a shared-memory hack so the two
processes could see what was going on in the dataflow. This shared-memory
hack was soon recognized as a tremendous complexity risk, because it put libz
(which very much trusts it's memory) in a dangerous place, and a new option
("zlib@openssh.com") was added begins compression after authentication (aka
delayed-compression). That change also permitted removal of the
shared-memory hack. Despite removal from the server, the old "zlib" support
remained in the client, to allow negotiation with non-OpenSSH daemons which
lack the delayed-compression option. This commit deletes support for the
older "zlib" option in the client. It reduces our featureset in a small way,
and encourages other servers to move to a better design. The SSH protocol is
different enough that compressed-key-material attacks like BEAST are
unlikely, but who wants to take the chance? We encourage other ssh servers
who care about optional compression support to add delayed-zlib support.
(Some already do "zlib@openssh.com") ok djm markus
OpenBSD-Commit-ID: 6df986f38e4ab389f795a6e39e7c6857a763ba72
we can make the algorithm available without the @openssh.com suffix too. ok
markus@ deraadt@
OpenBSD-Commit-ID: eeed8fcde688143a737729d3d56d20ab4353770f
Now that the rekey test has been optimized it's fast enough to not be in
its own valgrind test, so move it into valgrind-2, which is currently
the quickest of the others, bringing all of them to roughly the same
runtime of ~1.1 hours.
Also verify that the Cipher or MAC we intended to use is actually the one
selected during the test.
OpenBSD-Regress-ID: ff43fed30552afe23d1364526fe8cf88cbfafe1d
Except where we're explicitly testing a different kex, use
curve25519-sha256 since it's faster than the default and supported even
when configured without OpenSSL. Add a check to ensure that the kex we
intended to test is the one we actually tested. Speeds test up by ~5%.
OpenBSD-Regress-ID: 3b27fcc2ae953cb08fd82a0d3155c498b226d6e0
up tests by about 10% in the common case, hopefully more when instrumented
with something like valgrind.
OpenBSD-Regress-ID: 7bf9292b4803357efcf0baf7cfbdc8521f212da1
Used unless overridden by a command-line flag, which simplifies some of
the ssh command lines.
OpenBSD-Regress-ID: e7cffa57027088e10336e412b34113969f88cb87
All of the rekey tests use it (otherwise the encrypted byte counts would
not match) so this lets us simplify the command lines.
OpenBSD-Regress-ID: dab7ce10f4cf6c68827eb8658141272aab3ea262
curve25519-sha256@libssh.org is the pre-standardization name for the same
thing, so remove it as a duplicate. Speeds up test by a tiny amount.
OpenBSD-Regress-ID: 5a5ee5fa1595a6e140b1cc16040bedf5996a5715
