Commit Graph

361 Commits

Author SHA1 Message Date
djm@openbsd.org
01a0670f69 upstream: Separate myproposal.h userauth pubkey types
U2F/FIDO keys are not supported for host authentication, so we need
a separate list for user keys.

feedback & ok markus@

OpenBSD-Commit-ID: 7fe2e6ab85f9f2338866e5af8ca2d312abbf0429
2019-11-01 09:46:09 +11:00
naddy@openbsd.org
91a2135f32 upstream: Allow prepending a list of algorithms to the default set
by starting the list with the '^' character, e.g.

HostKeyAlgorithms ^ssh-ed25519
Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com

ok djm@ dtucker@

OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
2019-09-08 14:49:04 +10:00
dtucker@openbsd.org
e826bbcafe upstream: When running sshd -T, assume any attibute not provided by
-C does not match, which allows it to work when sshd_config contains a Match
directive with or without -C.  bz#2858, ok djm@

OpenBSD-Commit-ID: 1a701f0a33e3bc96753cfda2fe0b0378520b82eb
2019-05-08 18:42:03 +10:00
djm@openbsd.org
d6e5def308 upstream: whitespace
OpenBSD-Commit-ID: 106e853ae8a477e8385bc53824d3884a8159db07
2019-03-26 10:20:41 +11:00
dtucker@openbsd.org
fd10cf027b upstream: Move checks for lists of users or groups into their own
function. This is a no-op on OpenBSD but will make things easier in
-portable, eg on systems where these checks should be case-insensitive.  ok
djm@

OpenBSD-Commit-ID: 8bc9c8d98670e23f8eaaaefe29c1f98e7ba0487e
2019-03-08 15:10:07 +11:00
Corinna Vinschen
37638c7520 Cygwin: implement case-insensitive Unicode user and group name matching
The previous revert enabled case-insensitive user names again.  This
patch implements the case-insensitive user and group name matching.
To allow Unicode chars, implement the matcher using wchar_t chars in
Cygwin-specific code.  Keep the generic code changes as small as possible.
Cygwin: implement case-insensitive Unicode user and group name matching

Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
2019-02-22 15:22:53 +11:00
Darren Tucker
bed1d43698 Revert unintended parts of previous commit. 2019-02-22 15:21:21 +11:00
Corinna Vinschen
f02afa350a Revert "[auth.c] On Cygwin, refuse usernames that have differences in case"
This reverts commit acc9b29486.

Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
2019-02-22 15:04:16 +11:00
dtucker@openbsd.org
281ce04257 upstream: Always initialize 2nd arg to hpdelim2. It populates that
*ONLY IF* there's a delimiter.  If there's not (the common case) it checked
uninitialized memory, which usually passed, but if not would cause spurious
failures when the uninitialized memory happens to contain "/".  ok deraadt.

OpenBSD-Commit-ID: 4291611eaf2a53d4c92f4a57c7f267c9f944e0d3
2019-01-24 14:36:44 +11:00
dtucker@openbsd.org
d05ea25567 upstream: Remove support for obsolete host/port syntax.
host/port was added in 2001 as an alternative to host:port syntax for
the benefit of IPv6 users.  These days there are establised standards
for this like [::1]:22 and the slash syntax is easily mistaken for CIDR
notation, which OpenSSH now supports for some things.  Remove the slash
notation from ListenAddress and PermitOpen.  bz#2335, patch from jjelen
at redhat.com, ok markus@

OpenBSD-Commit-ID: fae5f4e23c51a368d6b2d98376069ac2b10ad4b7
2019-01-24 12:30:30 +11:00
djm@openbsd.org
172a592a53 upstream: convert servconf.c to new packet API
with & ok markus@

OpenBSD-Commit-ID: 126553aecca302c9e02fd77e333b9cb217e623b4
2019-01-20 09:02:44 +11:00
djm@openbsd.org
0fa174ebe1 upstream: begin landing remaining refactoring of packet parsing
API, started almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

OpenBSD-Commit-ID: 93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4
2019-01-20 09:02:10 +11:00
djm@openbsd.org
928f1231f6 upstream: silence (to log level debug2) failure messages when
loading the default hostkeys. Hostkeys explicitly specified in the
configuration or on the command-line are still reported as errors, and
failure to load at least one host key remains a fatal error.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Based on patch from Dag-Erling Smørgrav via
https://github.com/openssh/openssh-portable/pull/103

ok markus@

OpenBSD-Commit-ID: ffc2e35a75d1008effaf05a5e27425041c27b684
2018-11-19 15:14:32 +11:00
djm@openbsd.org
2a35862e66 upstream: use path_absolute() for pathname checks; from Manoj Ampalam
OpenBSD-Commit-ID: 482ce71a5ea5c5f3bc4d00fd719481a6a584d925
2018-11-16 14:37:33 +11:00
djm@openbsd.org
0cbed248ed upstream: actually make CASignatureAlgorithms available as a config
option

OpenBSD-Commit-ID: 93fa7ff58314ed7b1ab7744090a6a91232e6ae52
2018-09-21 09:41:59 +10:00
djm@openbsd.org
86e5737c39 upstream: Add sshd_config CASignatureAlgorithms option to allow
control over which signature algorithms a CA may use when signing
certificates. In particular, this allows a sshd to ban certificates signed
with RSA/SHA1.

ok markus@

OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
2018-09-20 14:00:29 +10:00
djm@openbsd.org
1b9dd4aa15 upstream: better diagnosics on alg list assembly errors; ok
deraadt@ markus@

OpenBSD-Commit-ID: 5a557e74b839daf13cc105924d2af06a1560faee
2018-08-13 12:42:13 +10:00
Damien Miller
87f08be054 Remove support for S/Key
Most people will 1) be using modern multi-factor authentication methods
like TOTP/OATH etc and 2) be getting support for multi-factor
authentication via PAM or BSD Auth.
2018-07-31 12:59:30 +10:00
markus@openbsd.org
5467fbcb09 upstream: remove legacy key emulation layer; ok djm@
OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d
2018-07-12 13:18:25 +10:00
markus@openbsd.org
c3cb7790e9 upstream: sshd: switch config to sshbuf API; ok djm@
OpenBSD-Commit-ID: 72b02017bac7feac48c9dceff8355056bea300bd
2018-07-10 15:25:25 +10:00
sf@openbsd.org
168b46f405 upstream: Revert previous two commits
It turns out we still support pre-auth compression on the client.
Therefore revert the previous two commits:

date: 2018/07/06 09:06:14;  author: sf;  commitid: yZVYKIRtUZWD9CmE;
 Rename COMP_DELAYED to COMP_ZLIB

 Only delayed compression is supported nowadays.

 ok markus@

date: 2018/07/06 09:05:01;  author: sf;  commitid: rEGuT5UgI9f6kddP;
 Remove leftovers from pre-authentication compression

 Support for this has been removed in 2016.
 COMP_DELAYED will be renamed in a later commit.

 ok markus@

OpenBSD-Commit-ID: cdfef526357e4e1483c86cf599491b2dafb77772
2018-07-10 15:13:41 +10:00
sf@openbsd.org
ab39267fa1 upstream: Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.

ok markus@

OpenBSD-Commit-ID: 5b1dbaf3d9a4085aaa10fec0b7a4364396561821
2018-07-10 15:13:40 +10:00
djm@openbsd.org
312d2f2861 upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA
signature work - returns ability to add/remove/specify algorithms by
wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
2018-07-04 23:51:52 +10:00
djm@openbsd.org
95344c2574 upstream: allow sshd_config PermitUserEnvironment to accept a
pattern-list of whitelisted environment variable names in addition to yes|no.

bz#1800, feedback and ok markus@

OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24
2018-07-03 21:01:30 +10:00
djm@openbsd.org
87ddd676da upstream: allow bare port numbers to appear in PermitListen directives,
e.g.

PermitListen 2222 8080

is equivalent to:

PermitListen *:2222 *:8080

Some bonus manpage improvements, mostly from markus@

"looks fine" markus@

OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
2018-06-19 13:00:50 +10:00
djm@openbsd.org
28013759f0 upstream: add a SetEnv directive for sshd_config to allow an
administrator to explicitly specify environment variables set in sessions
started by sshd. These override the default environment and any variables set
by user configuration (PermitUserEnvironment, etc), but not the SSH_*
variables set by sshd itself.

ok markus@

OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0
2018-06-09 13:11:00 +10:00
markus@openbsd.org
7f90635216 upstream: switch config file parsing to getline(3) as this avoids
static limits noted by gerhard@; ok dtucker@, djm@

OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c
2018-06-07 04:34:05 +10:00
djm@openbsd.org
93c06ab6b7 upstream: permitlisten option for authorized_keys; ok markus@
OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672
2018-06-07 04:27:20 +10:00
djm@openbsd.org
115063a664 upstream: Add a PermitListen directive to control which server-side
addresses may be listened on when the client requests remote forwarding (ssh
-R).

This is the converse of the existing PermitOpen directive and this
includes some refactoring to share much of its implementation.

feedback and ok markus@

OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
2018-06-07 04:27:20 +10:00
djm@openbsd.org
001aa55484 upstream: lots of typos in comments/docs. Patch from Karsten Weiss
after checking with codespell tool
(https://github.com/lucasdemarchi/codespell)

OpenBSD-Commit-ID: 373222f12d7ab606598a2d36840c60be93568528
2018-04-10 10:17:15 +10:00
job@openbsd.org
5ee8448ad7 upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for
interactive and CS1 for bulk

AF21 was selected as this is the highest priority within the low-latency
service class (and it is higher than what we have today). SSH is elastic
and time-sensitive data, where a user is waiting for a response via the
network in order to continue with a task at hand. As such, these flows
should be considered foreground traffic, with delays or drops to such
traffic directly impacting user-productivity.

For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable
networks implementing a scavanger/lower-than-best effort class to
discriminate scp(1) below normal activities, such as web surfing. In
general this type of bulk SSH traffic is a background activity.

An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH
is that they are recognisable values on all common platforms (IANA
https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and
for AF21 specifically a definition of the intended behavior exists
https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition
of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and
for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662

The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE
802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate",
or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e,
MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK").

OK deraadt@, "no objection" djm@

OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
2018-04-06 14:20:33 +10:00
markus@openbsd.org
5886b92968 upstream: missing #ifdef for _PATH_HOST_XMSS_KEY_FILE; report by
jmc@

OpenBSD-Commit-ID: 9039cb69a3f9886bfef096891a9e7fcbd620280b
2018-03-02 14:30:15 +11:00
markus@openbsd.org
1b11ea7c58 upstream: Add experimental support for PQC XMSS keys (Extended
Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS
in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See
https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok
djm@

OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
2018-02-26 11:40:41 +11:00
djm@openbsd.org
88c50a5ae2 upstream: stop loading DSA keys by default, remove sshd_config
stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@

OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09
2018-02-16 13:35:28 +11:00
dtucker@openbsd.org
745771fb78 upstream commit
Remove unused sKerberosTgtPassing from enum.  From
calestyo via github pull req #11, ok djm@

OpenBSD-Commit-ID: 1008f8870865a7c4968b7aed402a0a9e3e5b9540
2018-02-09 20:00:35 +11:00
dtucker@openbsd.org
609d96b3d5 upstream commit
Replace atoi and strtol conversions for integer arguments
to config keywords with a checking wrapper around strtonum.  This will
prevent and flag invalid and negative arguments to these keywords.  ok djm@

OpenBSD-Commit-ID: 99ae3981f3d608a219ccb8d2fff635ae52c17998
2017-12-07 11:49:00 +11:00
dtucker@openbsd.org
168ecec13f upstream commit
Add missing break for rdomain.  Prevents spurious
"Deprecated option" warnings.  ok djm@

OpenBSD-Commit-ID: ba28a675d39bb04a974586241c3cba71a9c6099a
2017-12-07 11:46:35 +11:00
djm@openbsd.org@openbsd.org
33edb6ebdc upstream commit
reuse parse_multistate for parse_flag (yes/no arguments).
Saves a few lines of code and makes the parser more consistent wrt case-
sensitivity.  bz#2664 ok dtucker@

OpenBSD-Commit-ID: b2ad1b6086858d5db71c7b11e5a74dba6d60efef
2017-11-03 16:20:41 +11:00
dtucker@openbsd.org@openbsd.org
0208a48517 upstream commit
When doing a config test with sshd -T, only require the
attributes that are actually used in Match criteria rather than (an
incomplete list of) all criteria.  ok djm@, man page help jmc@

OpenBSD-Commit-ID: b4e773c4212d3dea486d0259ae977551aab2c1fc
2017-11-03 16:20:41 +11:00
Damien Miller
2de5c6b53b fix rdomain compilation errors 2017-10-27 08:42:33 +11:00
djm@openbsd.org
d685e5a31f upstream commit
uninitialised variable in PermitTunnel printing code

Upstream-ID: f04dc33e42855704e116b8da61095ecc71bc9e9a
2017-10-25 13:12:10 +11:00
Damien Miller
43c29bb7cf provide hooks and fallbacks for rdomain support 2017-10-25 13:11:38 +11:00
djm@openbsd.org
68af80e6fd upstream commit
add a "rdomain" criteria for the sshd_config Match
keyword to allow conditional configuration that depends on which rdomain(4) a
connection was recevied on. ok markus@

Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb
2017-10-25 12:26:21 +11:00
djm@openbsd.org
35eb33fb95 upstream commit
add sshd_config RDomain keyword to place sshd and the
subsequent user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)

ok markus@

Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
2017-10-25 12:26:13 +11:00
djm@openbsd.org
acf559e1cf upstream commit
Add optional rdomain qualifier to sshd_config's
ListenAddress option to allow listening on a different rdomain(4), e.g.

ListenAddress 0.0.0.0 rdomain 4

Upstream-ID: 24b6622c376feeed9e9be8b9605e593695ac9091
2017-10-25 12:26:06 +11:00
djm@openbsd.org
dceabc7ad7 upstream commit
replace statically-sized arrays in ServerOptions with
dynamic ones managed by xrecallocarray, removing some arbitrary (though
large) limits and saving a bit of memory; "much nicer" markus@

Upstream-ID: 1732720b2f478fe929d6687ac7b0a97ff2efe9d2
2017-10-20 12:01:02 +11:00
djm@openbsd.org
69bda02288 upstream commit
fix (another) problem in PermitOpen introduced during the
channels.c refactor: the third and subsequent arguments to PermitOpen were
being silently ignored; ok markus@

Upstream-ID: 067c89f1f53cbc381628012ba776d6861e6782fd
2017-10-05 05:51:12 +11:00
djm@openbsd.org
66bf74a921 upstream commit
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@

Upstream-ID: c2cc84ffac070d2e1ff76182c70ca230a387983c
2017-10-03 06:34:26 +11:00
dtucker@openbsd.org
30484e5e5f upstream commit
Add braces missing after channels refactor.  ok markus@

Upstream-ID: 72ab325c84e010680dbc88f226e2aa96b11a3980
2017-09-19 14:26:43 +10:00
djm@openbsd.org
dbee4119b5 upstream commit
refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
2017-09-12 17:37:02 +10:00