| Age | Commit message (Collapse) | Author |
|---|
|
This splits the user authentication code from the sshd-session
binary into a separate sshd-auth binary. This will be executed by
sshd-session to complete the user authentication phase of the
protocol only.
Splitting this code into a separate binary ensures that the crucial
pre-authentication attack surface has an entirely disjoint address
space from the code used for the rest of the connection. It also
yields a small runtime memory saving as the authentication code will
be unloaded after thhe authentication phase completes.
Joint work with markus@ feedback deraadt@
Tested in snaps since last week
|
|
PerSourcePenalties
This allows penalising connection sources that have had connections
dropped by the RefuseConnection option. ok markus@
|
|
which incorrectly required that sshd was started with an absolute path
in inetd mode. bz3717, patch from Colin Wilson
|
|
|
|
|
|
ok deraadt
|
|
|
|
behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
|
|
sshd-session process - reserve them early and fatal if we can't dup2(2)
them later. The pre-split fallback to re-reading the configuration
files is not possible, so sshd-session absolutely requires the fd the
configuration is passed over to be in order.
ok deraadt@
|
|
|
|
splits sshd into a listener and a session binary. More splits are
planned.
After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.
This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.
feedback/ok markus@ deraadt@
NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.
|
|
|
|
This adds another transport protocol extension to allow a sshd to send
SSH2_MSG_EXT_INFO during user authentication, after the server has
learned the username that is being logged in to.
This lets sshd to update the acceptable signature algoritms for public
key authentication, and allows these to be varied via sshd_config(5)
"Match" directives, which are evaluated after the server learns the
username being authenticated.
Full details in the PROTOCOL file
|
|
ok miod@ millert@
|
|
This adds kex_proposal_populate_entries (and corresponding free) which
populates the KEX proposal array with dynamically allocated strings.
This replaces the previous mix of static and dynamic that has been the
source of previous leaks and bugs. Remove unused compat functions.
With & ok djm@.
|
|
|
|
configuration without attempting to load private keys and perform
other checks. This allows usage of the option before keys have been
generated.
bz3460 feedback/ok dtucker@
|
|
OK markus@ deraadt@
|
|
This adds a sshd_config ChannelTimeouts directive that allows channels that
have not seen traffic in a configurable interval to be automatically closed.
Different timeouts may be applied to session, X11, agent and TCP forwarding
channels.
Note: this only affects channels over an opened SSH connection and not
the connection itself. Most clients close the connection when their channels
go away, with a notable exception being ssh(1) in multiplexing mode.
ok markus dtucker
|
|
one or more signals masked (sigprocmask(2) is not cleared on fork/exec)
and this could interfere with various things, e.g. the login grace timer.
Execution environments that fail to clear the signal mask before running
sshd are clearly broken, but apparently they do exist.
Reported by Sreedhar Balasubramanian; ok dtucker@
|
|
getopt(3) returns '?' when it encounters a flag not present in the in
the optstring or if a flag is missing its option argument. We can
handle this case with the "default" failure case with no loss of
legibility. Hence, remove all the redundant "case '?':" lines.
Prompted by dlg@. With help from dlg@ and millert@.
Link: https://marc.info/?l=openbsd-tech&m=167011979726449&w=2
ok naddy@ millert@ dlg@
|
|
feedback/ok markus@
|
|
will be ignored for user and host-based authentication.
Feedback deraadt@ ok markus@
|
|
|
|
list_hostkey_types() that are passed to compat_pkalg_proposal().
Part of github PR#324 from ZoltanFridrich, ok djm@
This is a roll-forward of the previous rollback now that the required
changes in compat.c have been done.
|
|
compat_pkalg_proposal and friends always allocate their returned
strings. Reported by Qualys.
|
|
list_hostkey_types() that are passed to compat_pkalg_proposal().
Part of github PR#324 from ZoltanFridrich, ok djm@
|
|
vincent-openssh at vinc17 net, ok djm@
|
|
path - we're never going to use the result and if the operation fails
then it can prevent connections from being accepted. Reported by
Aaron Poffenberger; with / ok dtucker@
|
|
and terminate sshd if ppoll() returns errno==EINVAL
avoids spin in ppoll when MaxStartups > RLIMIT_NOFILE, reported by
Daniel Micay
feedback/ok deraadt
|
|
It's no longer needed since the child will get terminated by the SIGTERM
to the process group that cleans up any auth helpers, it simplifies
the signal handler and removes the risk of a race when updating the PID.
Based on analysis by HerrSpace in github PR#289, ok djm@
|
|
|
|
ok deraadt millert
|
|
interferes with the new poll()-based listen loop; spotted and
debugged by anton@+deraadt@
|
|
with djm
|
|
OPENSSL=no.
|
|
KbdInteractiveAuthentication. The former is what was in SSHv1, the
latter is what is in SSHv2 (RFC4256) and they were treated as somewhat
but not entirely equivalent. We retain the old name as deprecated alias
so config files continue to work and a reference in the man page for
people looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two
when used with Match. Man page help & ok jmc@, with & ok djm@
|
|
by a signal. This should prevent the hang discovered by sthen@ wherein
sshd receives a SIGHUP while it has an unauthenticated child and goes
on to a blocking read on a notify_pipe. feedback deraadt@, ok djm@
|
|
Allows use of certificates with private keys held in a ssh-agent.
Reported by Miles Zhou in bz3524; ok dtucker@
|
|
mask signals while checking signal flags, umasking for pselect and
restoring afterwards. Also restore signals before sighup_restart
so they don't remain blocked after restart.
This prevents a race where a SIGTERM or SIGHUP can arrive between
checking the flag and calling select (eg if sshd is processing a
new connection) resulting in sshd not shutting down until the next
time it receives a new connection. bz#2158, with & ok djm@
|
|
this can end up causing sandbox violations per bz3286; ok dtucker@
|
|
indentation on continuation lines. Prompted by GHPR#185
|
|
"moduli" file containing the groups for DH-GEX. This will allow us to
run tests against arbitrary moduli files without having to install them.
ok djm@
|
|
it can cause problems on other platforms. From kircherlike at outlook.com
via bz#3259, ok djm@
|
|
use that instead of global variables containing copies of it.
feedback/ok markus@
|
|
purpose-built ssh->compat variable instead; feedback/ok markus@
|
|
more fine grained MaxStartups limits. Man page help jmc@, feedback &
ok djm@
|
|
method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are
disabled by default)
|
|
are themselves now macros, and preprocessor directives inside macro
arguments are undefined behaviour which some compilers (eg old GCCs)
choke on. It also makes the code tidier. ok deraadt@
|
|
appending ssh_err(r) manually; ok markus@
|
