| Age | Commit message (Collapse) | Author |
|---|
|
to a more shell-like one. Apparently the old tokeniser (accidentally?)
allowed "Match criteria=argument" as well as the "Match criteria argument"
syntax that we tested for.
People were using this syntax so this adds back support for
"Match criteria=argument"
bz3739 ok dtucker
|
|
behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
|
|
splits sshd into a listener and a session binary. More splits are
planned.
After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.
This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.
feedback/ok markus@ deraadt@
NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.
|
|
active configuration. This fixes the config parser from erroneously
rejecting cases like:
AuthenticationMethods password
Match User ivy
AuthenticationMethods any
bz3657 ok markus@
|
|
in the server. ok markus@
|
|
This attempts to hide inter-keystroke timings by sending interactive
traffic at fixed intervals (default: every 20ms) when there is only a
small amount of data being sent. It also sends fake "chaff" keystrokes
for a random interval after the last real keystroke. These are
controlled by a new ssh_config ObscureKeystrokeTiming keyword/
feedback/ok markus@
|
|
sessions to ignore SIGINT under some circumstances. Reported by /
feedback naddy@, ok dtucker@
|
|
This checks via nlist(3) that candidate provider libraries contain one
of the symbols that we will require prior to dlopen(), which can cause
a number of side effects, including execution of constructors.
Feedback deraadt; ok markus
|
|
this, so move from misc.c to misc.h so it's available. Fixes a Coverity
warning for 64bit time_t safety, ok djm@
|
|
ok dtucker markus
|
|
sshd_config; previously if the same name was reused then the last
would win (which is the opposite to how the config is supposed to
work).
While there, make the ssh_config parsing more like sshd_config.
bz3438, ok dtucker
|
|
to make things easier.
back and forth and ok; djm
|
|
paths, in particular ~user ones. Allows scp in sftp mode to accept
these paths, like scp in rcp mode does.
prompted by and much discussion deraadt@
ok markus@
|
|
encounters an unquoted comment.
Add some additional utility function for working with argument
vectors, since we'll be switching to using them to parse
ssh/sshd_config shortly.
ok markus@ as part of a larger diff; tested in snaps
|
|
specially by the protocol. Useful in ~/.ssh/config to set TERM to
something generic (e.g. "xterm" instead of "xterm-256color") for
destinations that lack terminfo entries. feedback and ok dtucker@
|
|
indentation on continuation lines. Prompted by GHPR#185
|
|
|
|
|
|
where sizeof(int) != sizeof(long), convtime could accept values
>MAX_INT which subsequently truncate when stored in an int during
config parsing. bz#3250, ok djm@
|
|
make privilege dropping optional but allow it via callbacks (to avoid
need to link uidswap.c everywhere)
add some other flags (keep environment, disable strict path safety check)
that make this more useful for client-side use.
feedback & ok markus@
|
|
The connection phase of the SSH session is time-sensitive (due to
server side login grace periods) and is frequently interactive (e.g.
entering passwords). The ultimate interactive/bulk TOS/DSCP will be
set after authentication completes.
ok dtucker@
|
|
the touch has been recorded; requested by claudio@ ok markus@
|
|
and/or stderr to /dev/null. Factor all these out to a single
stdfd_devnull() function that allows selection of which of these
to redirect. ok markus@
|
|
Fixes build error on arm64 spotted by otto@.
|
|
variables on the client side. The supported keywords are
CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus
LocalForward and RemoteForward when used for Unix domain socket
paths. This would for example allow forwarding of Unix domain
socket paths that change at runtime. bz#3140, ok djm@
|
|
friendly format. Switch copyright for this file from BSD to MIT to
make it easier to add Henning's copyright for this function.
ok markus@
|
|
necessary). ok aja@ as part of a larger diff
|
|
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.
|
|
|
|
them public; ok markus@
|
|
|
|
host/port was added in 2001 as an alternative to host:port syntax for
the benefit of IPv6 users. These days there are establised standards
for this like [::1]:22 and the slash syntax is easily mistaken for CIDR
notation, which OpenSSH now supports for some things. Remove the slash
notation from ListenAddress and PermitOpen. bz#2335, patch from jjelen
at redhat.com, ok markus@
|
|
out the banner exchange. This eliminates some common code from the
client and server.
Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@
|
|
Account for written bytes before the initial timer check so that the first
buffer written is accounted. Set the threshold after which the timer is
checked such that the limit starts being computed as soon as possible, ie
after the second buffer is written. This prevents an initial burst of
traffic and provides a more accurate bandwidth limit. bz#2927, ok djm.
|
|
|
|
names as well as explicit paths. ok dtucker@
|
|
setuid and sshd always has privsep on, we can remove the uid checks
for low port binds and just let the system do the check. We leave
a sanity check for the !privsep case so long as the code is stil
there. with & ok djm@
|
|
variables for the remote session (subject to the server accepting them)
refactor SendEnv to remove the arbitrary limit of variable names.
ok markus@
|
|
noted by gerhard@; ok dtucker@, djm@
|
|
giving a key an expiry date. ok markus@
|
|
|
|
keywords with a checking wrapper around strtonum. This will prevent
and flag invalid and negative arguments to these keywords. ok djm@
|
|
timeval respectively. Replace calls to gettimeofday() in packet timing
with monotime_tv so that the callers will work over a clock step.
Should prevent integer overflow during clock steps reported by wangle6
at huawei.com. "I like" markus@
|
|
user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)
ok markus@
|
|
to allow listening on a different rdomain(4), e.g.
ListenAddress 0.0.0.0 rdomain 4
|
|
At the client, the device may be obtained from a new %T expansion
for LocalCommand.
At the server, the allocated devices will be listed in a
SSH_TUNNEL variable exposed to the environment of any user sessions
started after the tunnel forwarding was established.
ok markus
|
|
or sftp://user@host/path. The connection parameters described in
draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the
ssh fingerprint format in the draft uses md5 with no way to specify
the hash function type. OK djm@
|
|
exit status (failure due to signal is still reported)
|
|
misc.c. Extend subprocess() to offer a little more control over stdio
disposition.
feedback & ok dtucker@
|
|
skip the call to daemon() and do not rewrite the PidFile. This
means that when sshd re-execs itself on SIGHUP the process ID will
no longer change. Should address bz#2641. ok djm@ markus@.
|
