| Age | Commit message (Collapse) | Author |
|---|
|
and memory sidechannel attacks like Spectre, Meltdown, Rowhammer and
Rambleed. This change encrypts private keys when they are not in use
with a symmetic key that is derived from a relatively large "prekey"
consisting of random data (currently 16KB).
Attackers must recover the entire prekey with high accuracy before
they can attempt to decrypt the shielded private key, but the current
generation of attacks have bit error rates that, when applied
cumulatively to the entire prekey, make this unlikely.
Implementation-wise, keys are encrypted "shielded" when loaded and then
automatically and transparently unshielded when used for signatures or
when being saved/serialised.
Hopefully we can remove this in a few years time when computer
architecture has become less unsafe.
been in snaps for a bit already; thanks deraadt@
ok dtucker@ deraadt@
|
|
Prepares for changes in the way malloc is initialized. ok guenther@ dtucker@
|
|
which allows it to work when sshd_config contains a Match directive with or
without -C. bz#2858, ok djm@
|
|
1. Recently-forked child processes will briefly remain listening to
listen_socks. If the main server sshd process completes its restart
via execv() before these sockets are closed by the child processes
then it can fail to listen at the desired addresses/ports and/or
fail to restart.
2. When a SIGHUP is received, there may be forked child processes that
are awaiting their reexecution state. If the main server sshd
process restarts before passing this state, these child processes
will yield errors and use a fallback path of reading the current
sshd_config from the filesystem rather than use the one that sshd
was started with.
To fix both of these cases, we reuse the startup_pipes that are shared
between the main server sshd and forked children. Previously this was
used solely to implement tracking of pre-auth child processes for
MaxStartups, but this extends the messaging over these pipes to include
a child->parent message that the parent process is safe to restart. This
message is sent from the child after it has completed its preliminaries:
closing listen_socks and receiving its reexec state.
bz#2953, reported by Michal Koutný; ok markus@ dtucker@
|
|
from markus@ ok djm@
|
|
from markus@ ok djm@
|
|
from markus@ ok djm@
|
|
|
|
using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP
coupled with X25519 as a stop-loss. Not enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
|
|
with & ok markus@
|
|
with & ok markus@
|
|
with & ok markus@
|
|
|
|
with & ok markus@
|
|
almost exactly six years ago.
This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.
with & ok markus@
|
|
patch from Markus Schmidt
|
|
out the banner exchange. This eliminates some common code from the
client and server.
Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@
|
|
hostkeys. Hostkeys explicitly specified in the configuration or on
the command-line are still reported as errors, and failure to load at
least one host key remains a fatal error.
Based on patch from Dag-Erling Smørgrav via
https://github.com/openssh/openssh-portable/pull/103
ok markus@
|
|
|
|
we're old, but we don't have to act it
|
|
calling ssh_gssapi_prepare_supported_oids() regardless of whether
GSSAPI authentication is enabled in the main config.
This avoids sandbox violations for configurations that enable GSSAPI
auth later, e.g.
Match user djm
GSSAPIAuthentication yes
bz#2107; ok dtucker@
|
|
feedback and ok tb@ jsing@ markus@
|
|
double-free under some circumstances.
--
date: 2018/07/31 03:07:24; author: djm; state: Exp; lines: +33 -18; commitid: f7g4UI8eeOXReTPh;
fix some memory leaks spotted by Coverity via Jakub Jelen in bz#2366
feedback and ok dtucker@
|
|
feedback and ok dtucker@
|
|
|
|
|
|
|
|
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.
feedback and ok markus@
|
|
This establishes a minimum time for each failed authentication
attempt (5ms) and adds a per-user constant derived from a host
secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok
markus@ djm@.
|
|
with codespell tool (https://github.com/lucasdemarchi/codespell)
|
|
legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.
feedback and ok markus@
|
|
The code is not compiled in by default (see WITH_XMSS in Makefile.inc)
Joint work with stefan-lukas_gazdag at genua.eu
See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
ok djm@
|
|
The signal handlers from the original ssh1 code on which OpenSSH
is based assume unreliable signals and reinstall their handlers.
Since OpenBSD (and pretty much every current system) has reliable
signals this is not needed. In the unlikely even that -portable
is still being used on such systems we will deal with it in the
compat layer. ok deraadt@
|
|
using major protocol version 2 from connecting to the server.
ok millert@
|
|
ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.
ok markus@
|
|
of "1.99" (indicating both v2 and v1 support). Busted by me during
SSHv1 purge in r1.358; bz2810, ok dtucker
|
|
keep a scrubbed copy; bz2777, ok dtucker@
|
|
without providing a full connection specification (sshd -T -C ...)
spotted by bluhm@
|
|
that are actually used in Match criteria rather than (an incomplete
list of) all criteria. ok djm@, man page help jmc@
|
|
|
|
conditional configuration that depends on which rdomain(4) a connection
was recevied on. ok markus@
|
|
user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)
ok markus@
|
|
to allow listening on a different rdomain(4), e.g.
ListenAddress 0.0.0.0 rdomain 4
|
|
managed by xrecallocarray, removing some arbitrary (though large)
limits and saving a bit of memory; "much nicer" markus@
|
|
Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.
ok markus@
|
|
remaining bit that it still used into ssh-rsa.c; ok markus
|
|
|
|
|
|
|
|
ok markus@
|
